Cyber Trackr - Free Compliance Library
Cyber Trackr
The Free Compliance Library

Unified Endpoint Management Server Security Requirements Guide

  • Version/Release: V1R2
  • Published: 2023-02-13
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

This Security Requirements Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.
b
The UEM server must limit the number of concurrent sessions per privileged user account to three or less concurrent sessions.
AC-10 - Medium - CCI-000054 - V-234275 - SV-234275r879511_rule
RMF Control
AC-10
Severity
Medium
CCI
CCI-000054
Version
SRG-APP-000001-UEM-000001
Vuln IDs
  • V-234275
Rule IDs
  • SV-234275r879511_rule
Application management includes the ability to control the number of users and user sessions that utilize an application. Limiting the number of allowed users and sessions per user is helpful in limiting risks related to DoS attacks. This requirement may be met via the application or by utilizing information system session control provided by a web server with specialized session management capabilities. If it has been specified that this requirement will be handled by the application, the capability to limit the maximum number of concurrent single user sessions must be designed and built into the application. This requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions must be defined based upon mission needs and the operational environment for each system. Satisfies:FMT_SMF.1.1(2) b Reference:PP-MDM-431010
Checks: C-37460r617394_chk

Verify the UEM server limits the number of concurrent sessions per privileged user account to three or less concurrent sessions. If the UEM server does not limit the number of concurrent sessions per privileged user account to three or less concurrent sessions, this is a finding.

Fix: F-37425r617395_fix

Configure the UEM server to limit the number of concurrent sessions per privileged user account to three or less concurrent sessions.

b
The UEM server must conceal, via the session lock, information previously visible on the display with a publicly viewable image.
AC-11 - Medium - CCI-000060 - V-234276 - SV-234276r879512_rule
RMF Control
AC-11
Severity
Medium
CCI
CCI-000060
Version
SRG-APP-000002-UEM-000002
Vuln IDs
  • V-234276
Rule IDs
  • SV-234276r879512_rule
A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system, but does not log out because of the temporary nature of the absence. The session lock is implemented at the point where session activity can be determined. This is typically at the operating system level, but may be at the application level. When the application design specifies the application rather than the operating system will determine when to lock the session, the application session lock event must include an obfuscation of the display screen to prevent other users from reading what was previously displayed. Publicly viewable images can include static or dynamic images, for example, patterns used with screen savers, photographic images, solid colors, a clock, a battery life indicator, or a blank screen, with the additional caveat that none of the images convey sensitive information. Satisfies:FMT_SMF.1.1(2) b Reference:PP-MDM-431011
Checks: C-37461r613838_chk

Verify the UEM server conceals, via the session lock, information previously visible on the display with a publicly viewable image. If the UEM server does not conceal via the session lock information previously visible on the display with a publicly viewable image, this is a finding.

Fix: F-37426r613839_fix

Configure the UEM server to conceal via the session lock information previously visible on the display with a publicly viewable image.

b
The UEM server must initiate a session lock after a 15-minute period of inactivity.
AC-11 - Medium - CCI-000057 - V-234277 - SV-234277r879513_rule
RMF Control
AC-11
Severity
Medium
CCI
CCI-000057
Version
SRG-APP-000003-UEM-000003
Vuln IDs
  • V-234277
Rule IDs
  • SV-234277r879513_rule
A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system, but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their application session prior to vacating the vicinity, applications need to be able to identify when a user's application session has idled and take action to initiate the session lock. The session lock is implemented at the point where session activity can be determined and/or controlled. This is typically at the operating system level and results in a system lock, but may be at the application level where the application interface window is secured instead. Satisfies:FMT_SMF.1.1(2) c.8 Reference:PP-MDM-411047
Checks: C-37462r613841_chk

Verify the UEM server initiates a session lock after a 15-minute period of inactivity. If the UEM server does not initiate a session lock after a 15-minute period of inactivity, this is a finding.

Fix: F-37427r613842_fix

Configure the UEM server to initiate a session lock after a 15-minute period of inactivity.

b
The MDM server must provide the capability for users to directly initiate a session lock.
AC-11 - Medium - CCI-000058 - V-234278 - SV-234278r879514_rule
RMF Control
AC-11
Severity
Medium
CCI
CCI-000058
Version
SRG-APP-000004-UEM-000004
Vuln IDs
  • V-234278
Rule IDs
  • SV-234278r879514_rule
A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system, but does not want to log out because of the temporary nature of the absence. The session lock is implemented at the point where session activity can be determined. This is typically at the operating system level, but may be at the application level. Rather than be forced to wait for a period of time to expire before the user session can be locked, applications need to provide users with the ability to manually invoke a session lock so users may secure their application should the need arise for them to temporarily vacate the immediate physical vicinity. Satisfies:FMT_SMF.1.1(2) b Reference:PP-MDM-431012
Checks: C-37463r613844_chk

Verify the UEM server provides the capability for users to directly initiate a session lock. If the UEM server does not provide the capability for users to directly initiate a session lock, this is a finding.

Fix: F-37428r613845_fix

Configure the UEM server to provide the capability for users to directly initiate a session lock.

b
The MDM server must retain the session lock until the user reestablishes access using established identification and authentication procedures.
AC-11 - Medium - CCI-000056 - V-234279 - SV-234279r879515_rule
RMF Control
AC-11
Severity
Medium
CCI
CCI-000056
Version
SRG-APP-000005-UEM-000005
Vuln IDs
  • V-234279
Rule IDs
  • SV-234279r879515_rule
A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system, but does not want to log out because of the temporary nature of the absence. The session lock is implemented at the point where session activity can be determined. This is typically determined and performed at the operating system level, but in some instances it may be at the application level. Regardless of where the session lock is determined and implemented, once invoked the session lock must remain in place until the user re-authenticates. No other system or application activity aside from re-authentication will unlock the system. Satisfies:FMT_SMF.1.1(2) b Reference:PP-MDM-431013
Checks: C-37464r613847_chk

Verify the UEM server retains the session lock until the user reestablishes access using established identification and authentication procedures. If the UEM server does not retain the session lock until the user reestablishes access using established identification and authentication procedures, this is a finding.

Fix: F-37429r613848_fix

Configure the MDM server to retain the session lock until the user reestablishes access using established identification and authentication procedures.

b
The UEM server must use TLS 1.2, or higher, to protect the confidentiality of sensitive data during electronic dissemination using remote access.
AC-17 - Medium - CCI-000068 - V-234283 - SV-234283r879519_rule
RMF Control
AC-17
Severity
Medium
CCI
CCI-000068
Version
SRG-APP-000014-UEM-000009
Vuln IDs
  • V-234283
Rule IDs
  • SV-234283r879519_rule
Using older unauthorized versions or incorrectly configuring protocol negotiation makes the gateway vulnerable to known and unknown attacks that exploit vulnerabilities in this protocol. This requirement applies to Transport Layer Security (TLS) gateways (also known as Secure Sockets Layer [SSL] gateways), web servers, and web applications and is not applicable to virtual private network (VPN) devices. Application protocols such as HTTPS and DNSSEC use TLS as the underlying security protocol and thus are in scope for this requirement. NIST SP 800-52 provides guidance for client negotiation on either DoD-only or on public-facing servers. Satisfies:FCS_TLSC_EXT.1.1 Reference:PP-MDM-412061
Checks: C-37468r613859_chk

Verify the UEM server uses TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination using remote access. If the UEM server does not use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination using remote access, this is a finding.

Fix: F-37433r613860_fix

Configure the UEM server to use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination using remote access.

b
The UEM server must provide automated mechanisms for supporting account management functions.
AC-2 - Medium - CCI-000015 - V-234286 - SV-234286r879522_rule
RMF Control
AC-2
Severity
Medium
CCI
CCI-000015
Version
SRG-APP-000023-UEM-000012
Vuln IDs
  • V-234286
Rule IDs
  • SV-234286r879522_rule
Enterprise environments make application account management challenging and complex. A manual process for account management functions adds the risk of a potential oversight or other error. A comprehensive application account management process that includes automation helps to ensure accounts designated as requiring attention are consistently and promptly addressed. Examples include, but are not limited to, using automation to take action on multiple accounts designated as inactive, suspended, or terminated or by disabling accounts located in non-centralized account stores such as multiple servers. This requirement applies to all account types, including individual/user, shared, group, system, guest/anonymous, emergency, developer/manufacturer/vendor, temporary, and service. The application must be configured to automatically provide account management functions and these functions must immediately enforce the organization's current account policy. The automated mechanisms may reside within the application itself or may be offered by the operating system or other infrastructure providing automated account management capabilities. Automated mechanisms may be comprised of differing technologies that when placed together contain an overall automated mechanism supporting an organization's automated account management requirements. Account management functions include: assignment of group or role membership; identifying account type; specifying user access authorizations (i.e., privileges); account removal, update, or termination; and administrative alerts. The use of automated mechanisms can include, for example: using email or text messaging to automatically notify account managers when users are terminated or transferred; using the information system to monitor account usage; and using automated telephonic notification to report atypical system account usage.
Checks: C-37471r613868_chk

Requirement is Not Applicable when UEM server is configured to use DoD Central Directory Service for administrator account authentication. Verify the UEM server provides automated mechanisms for supporting account management functions. If the UEM server does not provide automated mechanisms for supporting account management functions, this is a finding.

Fix: F-37436r613869_fix

Configure the UEM server to provide automated mechanisms for supporting account management functions.

b
The UEM server must automatically remove or disable temporary user accounts after 72 hours if supported by the UEM server.
AC-2 - Medium - CCI-000016 - V-234287 - SV-234287r879523_rule
RMF Control
AC-2
Severity
Medium
CCI
CCI-000016
Version
SRG-APP-000024-UEM-000013
Vuln IDs
  • V-234287
Rule IDs
  • SV-234287r879523_rule
If temporary user accounts remain active when no longer needed or for an excessive period, these accounts may be used to gain unauthorized access. To mitigate this risk, automated termination of all temporary user accounts must be set upon account creation. Temporary user accounts are established as part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. If temporary user accounts are used, the application must be configured to automatically terminate these types of accounts after a DoD-defined time period of 72 hours. To address access requirements, many application developers choose to integrate their applications with enterprise-level authentication/access mechanisms meeting or exceeding access control policy requirements. Such integration allows the application developer to off-load those access control functions and focus on core application features and functionality.
Checks: C-37472r613871_chk

Requirement is Not Applicable when the UEM server is configured to use DoD Central Directory Service for administrator account authentication. Verify the UEM server automatically removes or disables temporary user accounts after 72 hours, if supported by the UEM server. If the UEM server does not automatically remove or disable temporary user accounts after 72 hours, if supported by the UEM server, this is a finding.

Fix: F-37437r613872_fix

Configure the UEM server to automatically remove or disable temporary user accounts after 72 hours, if supported by the UEM server.

b
The UEM server must automatically disable accounts after a 35-day period of account inactivity.
AC-2 - Medium - CCI-000017 - V-234288 - SV-234288r879524_rule
RMF Control
AC-2
Severity
Medium
CCI
CCI-000017
Version
SRG-APP-000025-UEM-000014
Vuln IDs
  • V-234288
Rule IDs
  • SV-234288r879524_rule
Attackers that are able to exploit an inactive account can potentially obtain and maintain undetected access to an application. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained. Applications need to track periods of user inactivity and disable accounts after 35 days of inactivity. Such a process greatly reduces the risk that accounts will be hijacked, leading to a data compromise. To address access requirements, many application developers choose to integrate their applications with enterprise-level authentication/access mechanisms that meet or exceed access control policy requirements. Such integration allows the application developer to off-load those access control functions and focus on core application features and functionality. This policy does not apply to either emergency accounts or infrequently used accounts. Infrequently used accounts are local login administrator accounts used by system administrators when network or normal logon/access is not available. Emergency accounts are administrator accounts created in response to crisis situations. Satisfies:FMT_SMF.1(2)b. Reference:PP-MDM-431027
Checks: C-37473r613874_chk

Requirement is Not Applicable when the UEM server is configured to use DoD Central Directory Service for administrator account authentication. Verify the UEM server automatically disables accounts after a 35-day period of account inactivity. If the UEM server does not automatically disable accounts after a 35-day period of account inactivity, this is a finding.

Fix: F-37438r613875_fix

Configure the UEM server to automatically disable accounts after a 35-day period of account inactivity.

b
The UEM server must automatically audit account creation.
AC-2 - Medium - CCI-000018 - V-234289 - SV-234289r879525_rule
RMF Control
AC-2
Severity
Medium
CCI
CCI-000018
Version
SRG-APP-000026-UEM-000015
Vuln IDs
  • V-234289
Rule IDs
  • SV-234289r879525_rule
Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to simply create a new account. Auditing of account creation is one method for mitigating this risk. A comprehensive account management process will ensure an audit trail documents the creation of application user accounts and, as required, notifies administrators and/or application owners exists. Such a process greatly reduces the risk that accounts will be surreptitiously created and provides logging that can be used for forensic purposes. To address access requirements, many application developers choose to integrate their applications with enterprise-level authentication/access/auditing mechanisms meeting or exceeding access control policy requirements. Such integration allows the application developer to off-load those access control functions and focus on core application features and functionality. Satisfies:FAU_ALT_EXT.1.1, FAU_GEN.1.1(1), FMT_SMF.1.1(2)c.8 Reference:PP-MDM-411065, PP-MDM-412000
Checks: C-37474r613877_chk

Requirement is Not Applicable when UEM server is configured to use DoD Central Directory Service for administrator account authentication. Verify the UEM server automatically audits account creation. If the UEM server does not automatically audit account creation, this is a finding.

Fix: F-37439r613878_fix

Configure the UEM server to automatically audit account creation.

b
The UEM server must automatically audit account modification.
AC-2 - Medium - CCI-001403 - V-234290 - SV-234290r879526_rule
RMF Control
AC-2
Severity
Medium
CCI
CCI-001403
Version
SRG-APP-000027-UEM-000016
Vuln IDs
  • V-234290
Rule IDs
  • SV-234290r879526_rule
Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to simply modify an existing account. Auditing of account creation is one method for mitigating this risk. A comprehensive account management process will ensure an audit trail documents the creation of application user accounts and, as required, notifies administrators and/or application owners exists. Such a process greatly reduces the risk that accounts will be surreptitiously created and provides logging that can be used for forensic purposes. To address access requirements, many application developers choose to integrate their applications with enterprise-level authentication/access/auditing mechanisms meeting or exceeding access control policy requirements. Such integration allows the application developer to off-load those access control functions and focus on core application features and functionality. Satisfies:FAU_ALT_EXT.1.1, FAU_GEN.1.1(1), FMT_SMF.1.1(2)c.8 Reference:PP-MDM-411065, PP-MDM-412000
Checks: C-37475r613880_chk

Requirement is Not Applicable when UEM server is configured to use DoD Central Directory Service for administrator account authentication. Verify the UEM server automatically audits account modification. If the UEM server does not automatically audit account modification, this is a finding.

Fix: F-37440r613881_fix

Configure the UEM server to automatically audit account modification.

b
The UEM server must automatically audit account disabling actions.
AC-2 - Medium - CCI-001404 - V-234291 - SV-234291r879527_rule
RMF Control
AC-2
Severity
Medium
CCI
CCI-001404
Version
SRG-APP-000028-UEM-000017
Vuln IDs
  • V-234291
Rule IDs
  • SV-234291r879527_rule
When application accounts are disabled, user accessibility is affected. Once an attacker establishes access to an application, the attacker often attempts to disable authorized accounts to disrupt services or prevent the implementation of countermeasures. Auditing account disabling actions provides logging that can be used for forensic purposes. To address access requirements, many application developers choose to integrate their applications with enterprise-level authentication/access/audit mechanisms meeting or exceeding access control policy requirements. Such integration allows the application developer to off-load those access control functions and focus on core application features and functionality. Satisfies:FAU_ALT_EXT.1.1, FAU_GEN.1.1(1), FMT_SMF.1.1(2)c.8 Reference:PP-MDM-411065, PP-MDM-412000
Checks: C-37476r613883_chk

Requirement is Not Applicable when the UEM server is configured to use DoD Central Directory Service for administrator account authentication. Verify the UEM server automatically audits account disabling actions. If the UEM server does not automatically audit account disabling actions, this is a finding.

Fix: F-37441r613884_fix

Configure the UEM server to automatically audit account disabling actions.

b
The UEM server must automatically audit account removal actions.
AC-2 - Medium - CCI-001405 - V-234292 - SV-234292r879528_rule
RMF Control
AC-2
Severity
Medium
CCI
CCI-001405
Version
SRG-APP-000029-UEM-000018
Vuln IDs
  • V-234292
Rule IDs
  • SV-234292r879528_rule
When application accounts are removed, user accessibility is affected. Once an attacker establishes access to an application, the attacker often attempts to remove authorized accounts to disrupt services or prevent the implementation of countermeasures. Auditing account removal actions provides logging that can be used for forensic purposes. To address access requirements, many application developers choose to integrate their applications with enterprise-level authentication/access/audit mechanisms meeting or exceeding access control policy requirements. Such integration allows the application developer to off-load those access control functions and focus on core application features and functionality. Satisfies:FAU_ALT_EXT.1.1, FAU_GEN.1.1(1), FMT_SMF.1.1(2)c.8 Reference:PP-MDM-411065, PP-MDM-412000
Checks: C-37477r613886_chk

Requirement is Not Applicable when the UEM server is configured to use DoD Central Directory Service for administrator account authentication. Verify the UEM server automatically audits account removal actions. If the UEM server does not automatically audit account removal actions, this is a finding.

Fix: F-37442r613887_fix

Configure the UEM server to automatically audit account removal actions.

b
The UEM server must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.
AC-7 - Medium - CCI-000044 - V-234310 - SV-234310r879546_rule
RMF Control
AC-7
Severity
Medium
CCI
CCI-000044
Version
SRG-APP-000065-UEM-000036
Vuln IDs
  • V-234310
Rule IDs
  • SV-234310r879546_rule
By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced. Limits are imposed by locking the account. Satisfies:FMT_SMF.1(2)b. Reference:PP-MDM-431028
Checks: C-37495r617396_chk

Requirement is Not Applicable when the UEM server is configured to use DoD Central Directory Service for administrator account authentication. Verify the UEM server enforces the limit of three consecutive invalid logon attempts by a user during a 15-minute time period. If the UEM server does not enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period, this is a finding.

Fix: F-37460r613941_fix

Configure the UEM server to enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.

b
The UEM server must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the application.
AC-8 - Medium - CCI-000048 - V-234311 - SV-234311r879547_rule
RMF Control
AC-8
Severity
Medium
CCI
CCI-000048
Version
SRG-APP-000068-UEM-000037
Vuln IDs
  • V-234311
Rule IDs
  • SV-234311r879547_rule
Display of the DoD-approved use notification before granting access to the application ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. The banner must be formatted in accordance with DTM-08-060. Use the following verbiage for applications that can accommodate banners of 1300 characters: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner: "I've read & consent to terms in IS user agreem't." Satisfies:FTA_TAB.1.1, FMT_SMF.1.1(2) c.2 Reference:PP-MDM-411056
Checks: C-37496r613943_chk

Verify the UEM server displays the Standard Mandatory DoD Notice and Consent Banner before granting access to the application. If the UEM server does not display the Standard Mandatory DoD Notice and Consent Banner before granting access to the application, this is a finding.

Fix: F-37461r613944_fix

Configure the UEM server to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the application.

a
The UEM server must retain the access banner until the user acknowledges acceptance of the access conditions.
AC-8 - Low - CCI-000050 - V-234312 - SV-234312r879548_rule
RMF Control
AC-8
Severity
Low
CCI
CCI-000050
Version
SRG-APP-000069-UEM-000038
Vuln IDs
  • V-234312
Rule IDs
  • SV-234312r879548_rule
The banner must be acknowledged by the user prior to allowing the user access to the application. This provides assurance that the user has seen the message and accepted the conditions for access. If the consent banner is not acknowledged by the user, DoD will not be in compliance with system use notifications required by law. To establish acceptance of the application usage policy, a click-through banner at application logon is required. The application must prevent further activity until the user executes a positive action to manifest agreement by clicking on a box indicating "OK". Satisfies:FTA_TAB.1.1 Reference:PP-MDM-413003
Checks: C-37497r613946_chk

Verify the UEM server retains the access banner until the user acknowledges acceptance of the access conditions. If the UEM server does not retain the access banner until the user acknowledges acceptance of the access conditions, this is a finding.

Fix: F-37462r613947_fix

Configure the UEM server to retain the access banner until the user acknowledges acceptance of the access conditions.

b
The UEM server must notify the user, upon successful logon (access) to the application, of the date and time of the last logon (access).
AC-9 - Medium - CCI-000052 - V-234315 - SV-234315r879551_rule
RMF Control
AC-9
Severity
Medium
CCI
CCI-000052
Version
SRG-APP-000075-UEM-000041
Vuln IDs
  • V-234315
Rule IDs
  • SV-234315r879551_rule
Users need to be aware of activity that occurs regarding their application account. Providing users with information regarding the date and time of their last successful login allows the user to determine if any unauthorized activity has occurred and gives them an opportunity to notify administrators. This requirement is intended to cover both traditional interactive logons to information systems and general accesses to information systems that occur in other types of architectural configurations (e.g., service-oriented architectures).
Checks: C-37500r613955_chk

Verify the UEM server notifies the user, upon successful logon (access) to the application, of the date and time of the last logon (access). If the UEM server does not notify the user, upon successful logon (access) to the application, of the date and time of the last logon (access), this is a finding.

Fix: F-37465r613956_fix

Configure the UEM server to notify the user, upon successful logon (access) to the application, of the date and time of the last logon (access).

b
The UEM server must notify the user, upon successful logon (access), of the number of unsuccessful logon (access) attempts since the last successful logon (access).
AC-9 - Medium - CCI-000053 - V-234316 - SV-234316r879552_rule
RMF Control
AC-9
Severity
Medium
CCI
CCI-000053
Version
SRG-APP-000076-UEM-000042
Vuln IDs
  • V-234316
Rule IDs
  • SV-234316r879552_rule
Users need to be aware of activity that occurs regarding their application account. Providing users with information regarding the number of unsuccessful attempts made to log in to their account allows the user to determine if any unauthorized activity has occurred and gives them an opportunity to notify administrators. This requirement is intended to cover both traditional logons to information systems and general accesses to information systems that occur in other types of architectural configurations (e.g., service-oriented architectures).
Checks: C-37501r613958_chk

Verify the UEM server notifies the user, upon successful logon (access), of the number of unsuccessful logon (access) attempts since the last successful logon (access). If the UEM server does not notify the user, upon successful logon (access), of the number of unsuccessful logon (access) attempts since the last successful logon (access), this is a finding.

Fix: F-37466r613959_fix

Configure the UEM server to notify the user, upon successful logon (access), of the number of unsuccessful logon (access) attempts since the last successful logon (access).

b
The UEM server must protect against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation.
AU-10 - Medium - CCI-000166 - V-234318 - SV-234318r879554_rule
RMF Control
AU-10
Severity
Medium
CCI
CCI-000166
Version
SRG-APP-000080-UEM-000044
Vuln IDs
  • V-234318
Rule IDs
  • SV-234318r879554_rule
Without non-repudiation, it is impossible to positively attribute an action to an individual (or process acting on behalf of an individual). Non-repudiation services can be used to determine if information originated from a particular individual, or if an individual took specific actions (e.g., sending an email, signing a contract, approving a procurement request) or received specific information. Non-repudiation protects individuals against later claims by an author of not having authored a particular document, a sender of not having transmitted a message, a receiver of not having received a message, or a signatory of not having signed a document. The application will be configured to provide non-repudiation services for an organization-defined set of commands that are used by the user (or processes action on behalf of the user). DoD PKI provides for non-repudiation through the use of digital signatures. Non-repudiation requirements will vary from one application to another and will be defined based on application functionality, data sensitivity, and mission requirements. Satisfies:FCS_COP.1.1(3), FCS_COP.1.1(4)
Checks: C-37503r613964_chk

Verify the UEM server protects against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation. If the UEM server does not protect against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation this is a finding.

Fix: F-37468r613965_fix

Configure the UEM server to protect against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation.

b
The UEM server must provide audit record generation capability for DoD-defined auditable events within all application components.
AU-12 - Medium - CCI-000169 - V-234323 - SV-234323r879559_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000169
Version
SRG-APP-000089-UEM-000049
Vuln IDs
  • V-234323
Rule IDs
  • SV-234323r879559_rule
Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. Audit records can be generated from various components within the application (e.g., process, module). Certain specific application functionalities may be audited as well. The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records. DoD has defined the list of events for which the application will provide an audit record generation capability as the following: (i) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels); (ii) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; and (iii) All account creation, modification, disabling, and termination actions. DoD Required auditable events: - Change in enrollment status - Failure to apply policies to a mobile device - Start up and shut down of the UEM System - All administrative actions - Commands issued to the UEM Agent - Server component failure - All system alerts, including system integrity verification failures Satisfies:FAU_ALT_EXT.1.1, FAU_GEN.1.1(1), FMT_SMF.1.1(2)c.8 Reference:PP-MDM-411065, PP-MDM-412000
Checks: C-37508r613979_chk

Verify the UEM server provides audit record generation capability for DoD-defined auditable events within all application components. If the UEM server does not provide audit record generation capability for DoD-defined auditable events within all application components, this is a finding.

Fix: F-37473r613980_fix

Configure the UEM server to provide audit record generation capability for DoD-defined auditable events within all application components.

b
The UEM server must be configured to provide audit records in a manner suitable for the Authorized Administrators to interpret the information.
AU-12 - Medium - CCI-000169 - V-234324 - SV-234324r879559_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000169
Version
SRG-APP-000089-UEM-000050
Vuln IDs
  • V-234324
Rule IDs
  • SV-234324r879559_rule
Successful incident response and auditing relies on timely, accurate system information and analysis in order to allow the organization to identify and respond to potential incidents in a proficient manner. If the application does not provide the ability to centrally review the application logs, forensic analysis is negatively impacted. Segregation of logging data to multiple disparate computer systems is counterproductive and makes log analysis and log event alarming difficult to implement and manage, particularly when the system or application has multiple logging components written to different locations or systems. Automated mechanisms for centralized reviews and analyses include, for example, Security Information Management products. Satisfies:FAU_SAR.1.2 Reference:PP-MDM-413050
Checks: C-37509r613982_chk

Verify the UEM server provides audit records in a manner suitable for the Authorized Administrators to interpret the information. If the UEM server does not provide audit records in a manner suitable for the Authorized Administrators to interpret the information, this is a finding.

Fix: F-37474r613983_fix

Configure the UEM server to be configured to provide audit records in a manner suitable for the Authorized Administrators to interpret the information.

b
The UEM server must be configured to allow only specific administrator roles to select which auditable events are to be audited.
AU-12 - Medium - CCI-000171 - V-234325 - SV-234325r879560_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000171
Version
SRG-APP-000090-UEM-000051
Vuln IDs
  • V-234325
Rule IDs
  • SV-234325r879560_rule
Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records. Satisfies:FMT_SMR.1.1(1) Reference:PP-MDM-411058
Checks: C-37510r613985_chk

Verify the UEM server allows only specific administrator roles to select which auditable events are to be audited. If the UEM server does not allow only specific administrator roles to select which auditable events are to be audited, this is a finding.

Fix: F-37475r613986_fix

Configure the UEM server to be configured to allow only specific administrator roles to select which auditable events are to be audited.

b
The UEM server must generate audit records when successful/unsuccessful attempts to access privileges occur.
AU-12 - Medium - CCI-000172 - V-234326 - SV-234326r879561_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
SRG-APP-000091-UEM-000052
Vuln IDs
  • V-234326
Rule IDs
  • SV-234326r879561_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies:FAU_GEN.1.1(1)
Checks: C-37511r613988_chk

Verify the UEM server generates audit records when successful/unsuccessful attempts to access privileges occur. If the UEM server does not generate audit records when successful/unsuccessful attempts to access privileges occur, this is a finding.

Fix: F-37476r613989_fix

Configure the UEM server to generate audit records when successful/unsuccessful attempts to access privileges occur.

b
The UEM server must initiate session auditing upon startup.
AU-14 - Medium - CCI-001464 - V-234327 - SV-234327r879562_rule
RMF Control
AU-14
Severity
Medium
CCI
CCI-001464
Version
SRG-APP-000092-UEM-000053
Vuln IDs
  • V-234327
Rule IDs
  • SV-234327r879562_rule
If auditing is enabled late in the startup process, the actions of some start-up processes may not be audited. Some audit systems also maintain state information only available if auditing is enabled before a given process is created. Satisfies:FAU_GEN.1.1(1)
Checks: C-37512r613991_chk

Verify the UEM server initiate session auditing upon startup. If the UEM server does not initiate session auditing upon startup, this is a finding.

Fix: F-37477r613992_fix

Configure the UEM server to initiate session auditing upon startup.

b
The UEM server must be configured to produce audit records containing information to establish what type of events occurred.
AU-3 - Medium - CCI-000130 - V-234328 - SV-234328r879563_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-000130
Version
SRG-APP-000095-UEM-000055
Vuln IDs
  • V-234328
Rule IDs
  • SV-234328r879563_rule
Without establishing what type of event occurred, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. Audit record content that may be necessary to satisfy the requirement of this policy includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Associating event types with detected events in the application and audit logs provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured application. Satisfies:FAU_GEN.1.2(1) Reference:PP-MDM-412060
Checks: C-37513r613994_chk

Verify the UEM server produces audit records containing information to establish what type of events occurred. If the UEM server does not produce audit records containing information to establish what type of events occurred, this is a finding.

Fix: F-37478r613995_fix

Configure the UEM server to be configured to produce audit records containing information to establish what type of events occurred.

b
The UEM server must be configured to produce audit records containing information to establish when (date and time) the events occurred.
AU-3 - Medium - CCI-000131 - V-234329 - SV-234329r879564_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-000131
Version
SRG-APP-000096-UEM-000056
Vuln IDs
  • V-234329
Rule IDs
  • SV-234329r879564_rule
Without establishing when events occurred, it is impossible to establish, correlate, and investigate the events relating to an incident. In order to compile an accurate risk assessment, and provide forensic analysis, it is essential for security personnel to know when events occurred (date and time). Associating event types with detected events in the application and audit logs provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured application. Satisfies:FAU_GEN.1.2(1) Reference:PP-MDM-412060
Checks: C-37514r613997_chk

Verify the UEM server produces audit records containing information to establish when (date and time) the events occurred. If the UEM server does not produce audit records containing information to establish when (date and time) the events occurred, this is a finding.

Fix: F-37479r613998_fix

Configure the UEM server to be configured to produce audit records containing information to establish when (date and time) the events occurred.

b
The UEM server must be configured to produce audit records containing information to establish where the events occurred.
AU-3 - Medium - CCI-000132 - V-234330 - SV-234330r879565_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-000132
Version
SRG-APP-000097-UEM-000057
Vuln IDs
  • V-234330
Rule IDs
  • SV-234330r879565_rule
Failure to generate these audit records makes it more difficult to identify or investigate attempted or successful compromises, potentially causing incidents to last longer than necessary. Satisfies:FAU_GEN.1.2(1) Reference:PP-MDM-412060
Checks: C-37515r614000_chk

Verify the UEM server produces audit records containing information to establish where the events occurred. If the UEM server does not produce audit records containing information to establish where the events occurred, this is a finding.

Fix: F-37480r614001_fix

Configure the UEM server to be configured to produce audit records containing information to establish where the events occurred.

b
The UEM server must be configured to produce audit records containing information to establish the source of the events.
AU-3 - Medium - CCI-000133 - V-234331 - SV-234331r879566_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-000133
Version
SRG-APP-000098-UEM-000058
Vuln IDs
  • V-234331
Rule IDs
  • SV-234331r879566_rule
Without establishing the source of the event, it is impossible to establish, correlate, and investigate the events leading up to an outage or attack. In addition to logging where events occur within the application, the application must also produce audit records that identify the application itself as the source of the event. In the case of centralized logging, the source would be the application name accompanied by the host or client name. In order to compile an accurate risk assessment, and provide forensic analysis, it is essential for security personnel to know the source of the event, particularly in the case of centralized logging. Associating information about the source of the event within the application provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured application. Satisfies:FAU_GEN.1.2(1) Reference:PP-MDM-412060
Checks: C-37516r614003_chk

Verify the UEM server produces audit records containing information to establish the source of the events. If the UEM server does not produce audit records containing information to establish the source of the events, this is a finding.

Fix: F-37481r614004_fix

Configure the UEM server to be configured to produce audit records containing information to establish the source of the events.

b
The UEM server must be configured to produce audit records that contain information to establish the outcome of the events.
AU-3 - Medium - CCI-000134 - V-234332 - SV-234332r879567_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-000134
Version
SRG-APP-000099-UEM-000059
Vuln IDs
  • V-234332
Rule IDs
  • SV-234332r879567_rule
Without information about the outcome of events, security personnel cannot make an accurate assessment as to whether an attack was successful or if changes were made to the security state of the system. Event outcomes can include indicators of event success or failure and event-specific results (e.g., the security state of the information system after the event occurred). As such, they also provide a means to measure the impact of an event and help authorized personnel to determine the appropriate response. Satisfies:FAU_GEN.1.2(1) Reference:PP-MDM-412060
Checks: C-37517r614006_chk

Verify the UEM server produces audit records that contain information to establish the outcome of the events. If the UEM server does not produce audit records that contain information to establish the outcome of the events, this is a finding.

Fix: F-37482r614007_fix

Configure the UEM server to be configured to produce audit records that contain information to establish the outcome of the events.

b
The UEM server must be configured to generate audit records containing information that establishes the identity of any individual or process associated with the event.
AU-3 - Medium - CCI-001487 - V-234333 - SV-234333r879568_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-001487
Version
SRG-APP-000100-UEM-000060
Vuln IDs
  • V-234333
Rule IDs
  • SV-234333r879568_rule
Without information that establishes the identity of the subjects (i.e., users or processes acting on behalf of users) associated with the events, security personnel cannot determine responsibility for the potentially harmful event. Event identifiers (if authenticated or otherwise known) include, but are not limited to, user database tables, primary key values, user names, or process identifiers. Satisfies:FAU_GEN.1.2(1) Reference:PP-MDM-412060
Checks: C-37518r614009_chk

Verify the UEM server generates audit records containing information that establishes the identity of any individual or process associated with the event. If the UEM server does not generate audit records containing information that establishes the identity of any individual or process associated with the event, this is a finding.

Fix: F-37483r614010_fix

Configure the UEM server to be configured to generate audit records containing information that establishes the identity of any individual or process associated with the event.

b
The UEM server must be configured to generate audit records containing the full-text recording of privileged commands or the individual identities of group account users.
AU-3 - Medium - CCI-000135 - V-234334 - SV-234334r879569_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-000135
Version
SRG-APP-000101-UEM-000061
Vuln IDs
  • V-234334
Rule IDs
  • SV-234334r879569_rule
Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. Organizations consider limiting the additional audit information to only that information explicitly needed for specific audit requirements. The additional information required is dependent on the type of information (i.e., sensitivity of the data and the environment within which it resides). At a minimum, the organization must audit either full-text recording of privileged commands or the individual identities of group users, or both. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. In addition, the application must have the capability to include organization-defined additional, more detailed information in the audit records for audit events. Satisfies:FAU_GEN.1.2(1) Reference:PP-MDM-412060
Checks: C-37519r614012_chk

Verify the UEM server generates audit records containing the full-text recording of privileged commands or the individual identities of group account users. If the UEM server does not generate audit records containing the full-text recording of privileged commands or the individual identities of group account users, this is a finding.

Fix: F-37484r614013_fix

Configure the UEM server to be configured to generate audit records containing the full-text recording of privileged commands or the individual identities of group account users.

b
The UEM SRG must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.
AU-5 - Medium - CCI-000139 - V-234335 - SV-234335r879570_rule
RMF Control
AU-5
Severity
Medium
CCI
CCI-000139
Version
SRG-APP-000108-UEM-000062
Vuln IDs
  • V-234335
Rule IDs
  • SV-234335r879570_rule
It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability and system operation may be adversely affected. Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. This requirement applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the centralized audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both. Satisfies:FAU_ALT_EXT.1.1 Reference:PP-MDM-412059
Checks: C-37520r614015_chk

Verify the UEM server alerts the ISSO and SA (at a minimum) in the event of an audit processing failure. If the UEM server does not alert the ISSO and SA (at a minimum) in the event of an audit processing failure, this is a finding.

Fix: F-37485r614016_fix

Configure the UEM server to alert the ISSO and SA (at a minimum) in the event of an audit processing failure.

b
The UEM server must use host operating system clocks to generate time stamps for audit records.
AU-8 - Medium - CCI-000159 - V-234340 - SV-234340r879575_rule
RMF Control
AU-8
Severity
Medium
CCI
CCI-000159
Version
SRG-APP-000116-UEM-000067
Vuln IDs
  • V-234340
Rule IDs
  • SV-234340r879575_rule
Without an internal clock used as the reference for the time stored on each event to provide a trusted common reference for the time, forensic analysis would be impeded. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. If the internal clock is not used, the system may not be able to provide time stamps for log messages. Additionally, externally generated time stamps may not be accurate. Applications can use the capability of an operating system or purpose-built module for this purpose. Satisfies: OE.TIMESTAMP, FAU_GEN.1.2(1)
Checks: C-37525r614030_chk

Verify the UEM server uses host operating system clocks to generate time stamps for audit records. If the UEM server does not use host operating system clocks to generate time stamps for audit records, this is a finding

Fix: F-37490r614031_fix

Configure the UEM server to use host operating system clocks to generate time stamps for audit records.

b
The UEM server must protect audit information from any type of unauthorized read access.
AU-9 - Medium - CCI-000162 - V-234341 - SV-234341r879576_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-000162
Version
SRG-APP-000118-UEM-000068
Vuln IDs
  • V-234341
Rule IDs
  • SV-234341r879576_rule
If audit data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult if not impossible to achieve. In addition, access to audit records provides information an attacker could potentially use to his or her advantage. To ensure the veracity of audit data, the information system and/or the application must protect audit information from any and all unauthorized access. This includes read, write, and copy access. This requirement can be achieved through multiple methods, which will depend upon system architecture and design. Commonly employed methods for protecting audit information include least privilege permissions as well as restricting the location and number of log file repositories. Additionally, applications with user interfaces to audit records must not allow for the unfettered manipulation of or access to those records via the application. If the application provides access to the audit data, the application becomes accountable for ensuring audit information is protected from unauthorized access. Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. Satisfies:FIA_UAU.1.2, FMT_SMR.1.1(1)
Checks: C-37526r614033_chk

Verify the UEM server protects audit information from any type of unauthorized read access. If the UEM server does not protect audit information from any type of unauthorized read access, this is a finding

Fix: F-37491r614034_fix

Configure the UEM server to protect audit information from any type of unauthorized read access.

b
The UEM server must protect audit information from unauthorized modification.
AU-9 - Medium - CCI-000163 - V-234342 - SV-234342r879577_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-000163
Version
SRG-APP-000119-UEM-000069
Vuln IDs
  • V-234342
Rule IDs
  • SV-234342r879577_rule
If audit data were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. To ensure the veracity of audit data, the information system and/or the application must protect audit information from unauthorized modification. This requirement can be achieved through multiple methods, which will depend upon system architecture and design. Some commonly employed methods include ensuring log files receive the proper file system permissions, and limiting log data locations. Applications providing a user interface to audit data will leverage user permissions and roles identifying the user accessing the data and the corresponding rights that the user enjoys in order to make access decisions regarding the modification of audit data. Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. Satisfies:FIA_UAU.1.2, FMT_SMR.1.1(1)
Checks: C-37527r614036_chk

Verify the UEM server protects audit information from unauthorized modification. If the UEM server does not protect audit information from unauthorized modification, this is a finding.

Fix: F-37492r614037_fix

Configure the UEM server to protect audit information from unauthorized modification.

b
The UEM server must protect audit information from unauthorized deletion.
AU-9 - Medium - CCI-000164 - V-234343 - SV-234343r879578_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-000164
Version
SRG-APP-000120-UEM-000070
Vuln IDs
  • V-234343
Rule IDs
  • SV-234343r879578_rule
If audit data were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. To ensure the veracity of audit data, the information system and/or the application must protect audit information from unauthorized deletion. This requirement can be achieved through multiple methods, which will depend upon system architecture and design. Some commonly employed methods include: ensuring log files receive the proper file system permissions utilizing file system protections, restricting access, and backing up log data to ensure log data is retained. Applications providing a user interface to audit data will leverage user permissions and roles identifying the user accessing the data and the corresponding rights the user enjoys in order make access decisions regarding the deletion of audit data. Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. Audit information may include data from other applications or be included with the audit application itself. Satisfies:FIA_UAU.1.2, FMT_SMR.1.1(1)
Checks: C-37528r614039_chk

Verify the UEM server protects audit information from unauthorized deletion. If the UEM server does not protect audit information from unauthorized deletion, this is a finding

Fix: F-37493r614040_fix

Configure the UEM server to protect audit information from unauthorized deletion.

b
The UEM server must back up audit records at least every seven days onto a log management server.
AU-9 - Medium - CCI-001348 - V-234347 - SV-234347r879582_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-001348
Version
SRG-APP-000125-UEM-000074
Vuln IDs
  • V-234347
Rule IDs
  • SV-234347r879582_rule
Protection of log data includes ensuring log data is not accidentally lost or deleted. Backing up audit records to a different system or onto separate media than the system being audited on an organizationally defined frequency helps ensure, in the event of a catastrophic system failure, the audit records will be retained. This helps to ensure a compromise of the information system being audited does not also result in a compromise of the audit records. This requirement only applies to applications that have a native backup capability for audit records. Operating system backup requirements cover applications that do not provide native backup functions. Satisfies:FAU_STG_EXT.1.1, FMT_SMF.1.1(2) Refinement b
Checks: C-37532r614051_chk

Verify the UEM server backs up audit records at least every seven days onto a log management server. If the UEM server does not back up audit records at least every seven days onto a log management server, this is a finding.

Fix: F-37497r614052_fix

Configure the UEM server to back up audit records at least every seven days onto a log management server.

b
The UEM server must prevent the installation of patches, service packs, or application components without verification the software component has been digitally signed using a certificate that is recognized and approved by the organization.
CM-5 - Medium - CCI-001749 - V-234349 - SV-234349r879584_rule
RMF Control
CM-5
Severity
Medium
CCI
CCI-001749
Version
SRG-APP-000131-UEM-000076
Vuln IDs
  • V-234349
Rule IDs
  • SV-234349r879584_rule
Changes to any software components can have significant effects on the overall security of the application. Verifying software components have been digitally signed using a certificate that is recognized and approved by the organization ensures the software has not been tampered with and that it has been provided by a trusted vendor. Accordingly, patches, service packs, or application components must be signed with a certificate recognized and approved by the organization. Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. The application should not have to verify the software again. This requirement does not mandate DoD certificates for this purpose; however, the certificate used to verify the software must be from an approved CA. Satisfies:FIA_X509_EXT.1.1(1)
Checks: C-37534r614057_chk

Verify the UEM server prevents the installation of patches, service packs, or application components without verification the software component has been digitally signed using a certificate that is recognized and approved by the organization. If the UEM server does not prevent the installation of patches, service packs, or application components without verification the software component has been digitally signed using a certificate that is recognized and approved by the organization, this is a finding.

Fix: F-37499r614058_fix

Configure the UEM server to prevent the installation of patches, service packs, or application components without verification the software component has been digitally signed using a certificate that is recognized and approved by the organization.

b
The UEM server must limit privileges to change the software resident within software libraries.
CM-5 - Medium - CCI-001499 - V-234351 - SV-234351r879586_rule
RMF Control
CM-5
Severity
Medium
CCI
CCI-001499
Version
SRG-APP-000133-UEM-000078
Vuln IDs
  • V-234351
Rule IDs
  • SV-234351r879586_rule
If the application were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to applications with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs, which execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. Satisfies:FMT_SMR.1.1(1), FPT_TUD_EXT.1.2
Checks: C-37536r614063_chk

Verify the UEM server limits privileges to change the software resident within software libraries. If the UEM server does not limit privileges to change the software resident within software libraries, this is a finding.

Fix: F-37501r614064_fix

Configure the UEM server to limit privileges to change the software resident within software libraries.

b
The UEM server must be configured to disable non-essential capabilities.
CM-7 - Medium - CCI-000381 - V-234352 - SV-234352r879587_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
SRG-APP-000141-UEM-000079
Vuln IDs
  • V-234352
Rule IDs
  • SV-234352r879587_rule
It is detrimental for applications to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Applications are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Examples of non-essential capabilities include, but are not limited to, advertising software or browser plug-ins not related to requirements or providing a wide array of functionality not required for every mission, but cannot be disabled. Satisfies:FMT_SMF.1.1(2) c.2 Reference:PP-MDM-411064
Checks: C-37537r614066_chk

Verify the UEM server has disabled non-essential capabilities. If the UEM server has not disabled non-essential capabilities, this is a finding.

Fix: F-37502r614067_fix

Configure the UEM server to be configured to disable non-essential capabilities.

b
The firewall protecting the UEM server platform must be configured so only DoD-approved ports, protocols, and services are enabled. (See the DoD Ports, Protocols, Services Management [PPSM] Category Assurance Levels [CAL] list for DoD-approved ports, protocols, and services).
CM-7 - Medium - CCI-000382 - V-234353 - SV-234353r879588_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000382
Version
SRG-APP-000142-UEM-000080
Vuln IDs
  • V-234353
Rule IDs
  • SV-234353r879588_rule
All ports, protocols, and services used on DoD networks must be approved and registered via the DoD PPSM process. This is to ensure a risk assessment has been completed before a new port, protocol, or service is configured on a DoD network and has been approved by proper DoD authorities. Otherwise, the new port, protocol, or service could cause a vulnerability to the DoD network, which could be exploited by an adversary. Satisfies:FMT_SMF.1.1(2) Refinement b Reference:PP-MDM-431006
Checks: C-37538r614069_chk

Verify the firewall protecting the UEM server platform is configured so that only DoD-approved ports, protocols, and services are enabled. (See the DoD PPSM CAL list for DoD-approved ports, protocols, and services). If the firewall protecting the UEM server platform is not configured so that only DoD-approved ports, protocols, and services are enabled, this is a finding.

Fix: F-37503r614070_fix

Configure the firewall protecting the UEM server platform so that only DoD-approved ports, protocols, and services are enabled. (See the DoD PPSM CAL list for DoD-approved ports, protocols, and services).

b
The UEM server must be configured to use only documented platform APIs.
CM-7 - Medium - CCI-000382 - V-234354 - SV-234354r879588_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000382
Version
SRG-APP-000142-UEM-000081
Vuln IDs
  • V-234354
Rule IDs
  • SV-234354r879588_rule
Authenticity protection provides protection against man-in-the-middle attacks/session hijacking and the insertion of false information into sessions. Application communication sessions are protected utilizing transport encryption protocols, such as TLS. TLS provides web applications with a means to authenticate user sessions and encrypt application traffic. Session authentication can be single (one-way) or mutual (two-way) in nature. Single authentication authenticates the server for the client, whereas mutual authentication provides a means for both the client and the server to authenticate each other. This requirement applies to applications that utilize communications sessions. This includes, but is not limited to, web-based applications and Service-Oriented Architectures (SOA). This requirement addresses communications protection at the application session, versus the network packet, and establishes grounds for confidence at both ends of communications sessions in ongoing identities of other parties and in the validity of information transmitted. Depending on the required degree of confidentiality and integrity, web services/SOA will require the use of TLS mutual authentication (two-way/bidirectional). Satisfies:FPT_API_EXT.1.1
Checks: C-37539r614072_chk

Verify the UEM server uses only documented platform APIs. If the UEM server does not use only documented platform APIs, this is a finding.

Fix: F-37504r614073_fix

Configure the UEM server to be configured to use only documented platform APIs.

b
The UEM server must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).
IA-2 - Medium - CCI-000764 - V-234355 - SV-234355r879589_rule
RMF Control
IA-2
Severity
Medium
CCI
CCI-000764
Version
SRG-APP-000148-UEM-000082
Vuln IDs
  • V-234355
Rule IDs
  • SV-234355r879589_rule
To ensure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. Organizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors). Organizational users (and any processes acting on behalf of users) must be uniquely identified and authenticated for all accesses, except the following. (i) Accesses explicitly identified and documented by the organization. Organizations document specific user actions that can be performed on the information system without identification or authentication; and (ii) Accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals in group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity. Satisfies: FIA Reference:PP-MDM-414003
Checks: C-37540r614075_chk

Requirement is Not Applicable when UEM server is configured to use DoD Central Directory Service for administrator account authentication. Verify the UEM server uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users). If the UEM server does not uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users), this is a finding.

Fix: F-37505r614076_fix

Configure the UEM server to uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).

b
The UEM server must be configured to use a DoD Central Directory Service to provide multifactor authentication for network access to privileged and non-privileged accounts.
IA-2 - Medium - CCI-000765 - V-234356 - SV-234356r879590_rule
RMF Control
IA-2
Severity
Medium
CCI
CCI-000765
Version
SRG-APP-000149-UEM-000083
Vuln IDs
  • V-234356
Rule IDs
  • SV-234356r879590_rule
A comprehensive account management process that includes automation helps to ensure the accounts designated as requiring attention are consistently and promptly addressed. If an attacker compromises an account, the entire MDM server infrastructure is at risk. Providing automated support functions for the management of accounts will ensure only active accounts will be granted access with the proper authorization levels. These objectives are best achieved by configuring the MDM server to leverage an enterprise authentication mechanism (e.g., Microsoft Active Directory Kerberos). Satisfies: FIA Reference:PP-MDM-414003
Checks: C-37541r614078_chk

Verify the UEM server uses a DoD Central Directory Service to provide multifactor authentication for network access to privileged and non-privileged accounts. If the UEM server does not use a DoD Central Directory Service to provide multifactor authentication for network access to privileged and non-privileged accounts, this is a finding.

Fix: F-37506r614079_fix

Configure the UEM server to use a DoD Central Directory Service to provide multifactor authentication for network access to privileged and non-privileged accounts.

b
All UEM server local accounts created during application installation and configuration must be removed. Note: In this context local accounts refers to user and or administrator accounts on the server that use user name and password for user access and authentication.
IA-2 - Medium - CCI-000767 - V-234358 - SV-234358r879592_rule
RMF Control
IA-2
Severity
Medium
CCI
CCI-000767
Version
SRG-APP-000151-UEM-000085
Vuln IDs
  • V-234358
Rule IDs
  • SV-234358r879592_rule
A comprehensive account management process that includes automation helps to ensure the accounts designated as requiring attention are consistently and promptly addressed. If an attacker compromises an account, the entire MDM server infrastructure is at risk. Providing automated support functions for the management of accounts will ensure only active accounts will be granted access with the proper authorization levels. These objectives are best achieved by configuring the MDM server to leverage an enterprise authentication mechanism (e.g., Microsoft Active Directory Kerberos). Satisfies:FMT_SMF.1.1(2) b / IA-5(1)(a) Reference:PP-MDM-431007
Checks: C-37543r614084_chk

Verify all UEM server local accounts created during application installation and configuration have been removed. Note: In this context "local" accounts refers to user and or administrator accounts on the server that use user name and password for user access and authentication. If all UEM server local accounts created during application installation and configuration have not been removed, this is a finding.

Fix: F-37508r614085_fix

Remove all UEM server local accounts created during application installation. Note: In this context "local" accounts refers to user and or administrator accounts on the server that use user name and password for user access and authentication.

b
The UEM server must ensure users are authenticated with an individual authenticator prior to using a group authenticator.
IA-2 - Medium - CCI-000770 - V-234360 - SV-234360r879594_rule
RMF Control
IA-2
Severity
Medium
CCI
CCI-000770
Version
SRG-APP-000153-UEM-000087
Vuln IDs
  • V-234360
Rule IDs
  • SV-234360r879594_rule
To ensure individual accountability and prevent unauthorized access, application users must be individually identified and authenticated. Individual accountability mandates that each user is uniquely identified. A group authenticator is a shared account or some other form of authentication that allows multiple unique individuals to access the application using a single account. If an application allows or provides for group authenticators, it must first individually authenticate users prior to implementing group authenticator functionality. Some applications may not have the need to provide a group authenticator; this is considered a matter of application design. In those instances where the application design includes the use of a group authenticator, this requirement will apply. There may also be instances when specific user actions need to be performed on the information system without unique user identification or authentication. An example of this type of access is a web server which contains publicly releasable information. Satisfies: FIA Reference:PP-MDM-414003
Checks: C-37545r614090_chk

Requirement is Not Applicable when UEM server is configured to use DoD Central Directory Service for administrator account authentication. Verify the UEM server ensures users are authenticated with an individual authenticator prior to using a group authenticator. If the UEM server does not ensure users are authenticated with an individual authenticator prior to using a group authenticator, this is a finding.

Fix: F-37510r614091_fix

Configure the UEM server to ensure users are authenticated with an individual authenticator prior to using a group authenticator.

b
The UEM server must be configured to use DoD PKI for multifactor authentication. This requirement is included in SRG-APP-000149.
IA-2 - Medium - CCI-001936 - V-234361 - SV-234361r879595_rule
RMF Control
IA-2
Severity
Medium
CCI
CCI-001936
Version
SRG-APP-000154-UEM-000088
Vuln IDs
  • V-234361
Rule IDs
  • SV-234361r879595_rule
Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device. Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards, such as the U.S. Government Personal Identity Verification card and the DoD common access card. A privileged account is any information system account with authorizations of a privileged user. Network access is any access to an application by a user (or process acting on behalf of a user) where said access is obtained through a network connection.
Checks: C-37546r614093_chk

Verify the UEM server uses DoD PKI for multifactor authentication. If the UEM server does not use DoD PKI for multifactor authentication, this is a finding.

Fix: F-37511r614094_fix

Configure the UEM server to use DoD PKI for multifactor authentication.

c
The UEM server must use FIPS-validated SHA-2 or higher hash function to provide replay-resistant authentication mechanisms for network access to privileged accounts.
IA-2 - High - CCI-001941 - V-234363 - SV-234363r879597_rule
RMF Control
IA-2
Severity
High
CCI
CCI-001941
Version
SRG-APP-000156-UEM-000090
Vuln IDs
  • V-234363
Rule IDs
  • SV-234363r879597_rule
A replay attack may enable an unauthorized user to gain access to the application. Authentication sessions between the authenticator and the application validating the user credentials must not be vulnerable to a replay attack. Anti-replay is a cryptographically based mechanism; thus, it must use FIPS-approved algorithms. An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message. Note that the anti-replay service is implicit when data contains monotonically increasing sequence numbers and data integrity is assured. Use of DoD PKI is inherently compliant with this requirement for user and device access. Use of Transport Layer Security (TLS), including application protocols, such as HTTPS and DNSSEC, that use TLS/SSL as the underlying security protocol is also complaint. Note: Although allowed by SP800-131Ar1 for some applications, SHA-1 is considered a compromised hashing standard and is being phased out of use by industry and government standards. Configure the information system to use the hash message authentication code (HMAC) algorithm for authentication services to Kerberos, SSH, web management tool, and any other access method. Satisfies: FIA Reference:PP-MDM-414003
Checks: C-37548r614099_chk

Requirement is Not Applicable when UEM server is configured to use DoD Central Directory Service for administrator account authentication. Verify the UEM server uses FIPS-validated SHA-2 or higher hash function to provide replay-resistant authentication mechanisms for network access to privileged accounts. If the UEM server does not use FIPS-validated SHA-2 or higher hash function to provide replay-resistant authentication mechanisms for network access to privileged accounts, this is a finding.

Fix: F-37513r614100_fix

Configure the UEM server to use FIPS-validated SHA-2 or higher hash function to provide replay-resistant authentication mechanisms for network access to privileged accounts.

b
The UEM server must implement replay-resistant authentication mechanisms for network access to non-privileged accounts.
IA-2 - Medium - CCI-001942 - V-234364 - SV-234364r879598_rule
RMF Control
IA-2
Severity
Medium
CCI
CCI-001942
Version
SRG-APP-000157-UEM-000091
Vuln IDs
  • V-234364
Rule IDs
  • SV-234364r879598_rule
A replay attack may enable an unauthorized user to gain access to the application. Authentication sessions between the authenticator and the application validating the user credentials must not be vulnerable to a replay attack. An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message. A non-privileged account is any operating system account with authorizations of a non-privileged user. Techniques used to address this include protocols using nonces (e.g., numbers generated for a specific one-time use) or challenges (e.g., TLS, WS_Security). Additional techniques include time-synchronous or challenge-response one-time authenticators. Satisfies: FIA Reference:PP-MDM-414003
Checks: C-37549r614102_chk

Requirement is Not Applicable when UEM server is configured to use DoD Central Directory Service for administrator account authentication. Verify the UEM server implements replay-resistant authentication mechanisms for network access to non-privileged accounts. If the UEM server does not implement replay-resistant authentication mechanisms for network access to non-privileged accounts, this is a finding.

Fix: F-37514r614103_fix

Configure the UEM server to implement replay-resistant authentication mechanisms for network access to non-privileged accounts.

b
The UEM server must disable identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.
IA-4 - Medium - CCI-000795 - V-234366 - SV-234366r879600_rule
RMF Control
IA-4
Severity
Medium
CCI
CCI-000795
Version
SRG-APP-000163-UEM-000093
Vuln IDs
  • V-234366
Rule IDs
  • SV-234366r879600_rule
Inactive identifiers pose a risk to systems and applications. Attackers that are able to exploit an inactive identifier can potentially obtain and maintain undetected access to the application. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained. Applications need to track periods of inactivity and disable application identifiers after 35 days of inactivity. Management of user identifiers is not applicable to shared information system accounts (e.g., guest and anonymous accounts). It is commonly the case that a user account is the name of an information system account associated with an individual. To avoid having to build complex user management capabilities directly into their application, wise developers leverage the underlying OS or other user account management infrastructure (AD, LDAP) that is already in place within the organization and meets organizational user account management requirements.
Checks: C-37551r614108_chk

Requirement is Not Applicable when UEM server is configured to use DoD Central Directory Service for administrator account authentication. Verify the UEM server disables identifiers (individuals, groups, roles, and devices) after 35 days of inactivity. If the UEM server does not disable identifiers (individuals, groups, roles, and devices) after 35 days of inactivity, this is a finding.

Fix: F-37516r614109_fix

Configure the UEM server to disable identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.

b
The UEM server must enforce a minimum 15-character password length.
IA-5 - Medium - CCI-000205 - V-234367 - SV-234367r879601_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000205
Version
SRG-APP-000164-UEM-000094
Vuln IDs
  • V-234367
Rule IDs
  • SV-234367r879601_rule
The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password. Satisfies:FMT_SMF.1(2)b Reference:PP-MDM-431018
Checks: C-37552r614111_chk

Verify the UEM server enforces a minimum 15-character password length. If the UEM server does not enforce a minimum 15-character password length, this is a finding.

Fix: F-37517r614112_fix

Configure the UEM server to enforce a minimum 15-character password length.

b
The UEM server must prohibit password reuse for a minimum of five generations.
IA-5 - Medium - CCI-000200 - V-234368 - SV-234368r879602_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000200
Version
SRG-APP-000165-UEM-000095
Vuln IDs
  • V-234368
Rule IDs
  • SV-234368r879602_rule
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. To meet password policy requirements, passwords need to be changed at specific policy-based intervals. If the information system or application allows the user to consecutively reuse their password when that password has exceeded its defined lifetime, the end result is a password that is not changed as per policy requirements. Satisfies:FMT_SMF.1(2)b Reference:PP-MDM-431025
Checks: C-37553r614114_chk

Verify the UEM server prohibits password reuse for a minimum of five generations. If the UEM server does not prohibit password reuse for a minimum of five generations, this is a finding.

Fix: F-37518r614115_fix

Configure the UEM server to prohibit password reuse for a minimum of five generations.

b
The UEM server must enforce password complexity by requiring that at least one uppercase character be used.
IA-5 - Medium - CCI-000192 - V-234369 - SV-234369r879603_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000192
Version
SRG-APP-000166-UEM-000096
Vuln IDs
  • V-234369
Rule IDs
  • SV-234369r879603_rule
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password is, the greater the number of possible combinations that need to be tested before the password is compromised. Satisfies:FMT_SMF.1(2)b Reference:PP-MDM-431020
Checks: C-37554r614117_chk

Verify the UEM server enforces password complexity by requiring that at least one uppercase character be used. If the UEM server does not enforce password complexity by requiring that at least one uppercase character be used, this is a finding.

Fix: F-37519r614118_fix

Configure the UEM server to enforce password complexity by requiring that at least one uppercase character be used.

b
The UEM server must enforce password complexity by requiring that at least one lowercase character be used.
IA-5 - Medium - CCI-000193 - V-234370 - SV-234370r879604_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000193
Version
SRG-APP-000167-UEM-000097
Vuln IDs
  • V-234370
Rule IDs
  • SV-234370r879604_rule
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Satisfies:FMT_SMF.1(2)b Reference:PP-MDM-431019
Checks: C-37555r614120_chk

Verify the UEM server enforces password complexity by requiring that at least one lowercase character be used. If the UEM server does not enforce password complexity by requiring that at least one lowercase character be used, this is a finding.

Fix: F-37520r614121_fix

Configure the UEM server to enforce password complexity by requiring that at least one lowercase character be used.

b
The UEM server must enforce password complexity by requiring that at least one numeric character be used.
IA-5 - Medium - CCI-000194 - V-234371 - SV-234371r879605_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000194
Version
SRG-APP-000168-UEM-000098
Vuln IDs
  • V-234371
Rule IDs
  • SV-234371r879605_rule
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Satisfies:FMT_SMF.1(2)b Reference:PP-MDM-431021
Checks: C-37556r614123_chk

Verify the UEM server enforces password complexity by requiring that at least one numeric character be used. If the UEM server does not enforce password complexity by requiring that at least one numeric character be used, this is a finding.

Fix: F-37521r614124_fix

Configure the UEM server to enforce password complexity by requiring that at least one numeric character be used.

b
The UEM server must enforce password complexity by requiring that at least one special character be used.
IA-5 - Medium - CCI-001619 - V-234372 - SV-234372r879606_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-001619
Version
SRG-APP-000169-UEM-000099
Vuln IDs
  • V-234372
Rule IDs
  • SV-234372r879606_rule
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor in determining how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Special characters are those characters that are not alphanumeric. Examples include: ~ ! @ # $ % ^ *. Satisfies:FMT_SMF.1(2)b Reference:PP-MDM-431022
Checks: C-37557r614126_chk

Verify the UEM server enforces password complexity by requiring that at least one special character be used. If the UEM server does not enforce password complexity by requiring that at least one special character be used, this is a finding.

Fix: F-37522r614127_fix

Configure the UEM server to enforce password complexity by requiring that at least one special character be used.

b
The UEM server must require the change of at least 15 of the total number of characters when passwords are changed.
IA-5 - Medium - CCI-000195 - V-234373 - SV-234373r879607_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000195
Version
SRG-APP-000170-UEM-000100
Vuln IDs
  • V-234373
Rule IDs
  • SV-234373r879607_rule
If the application allows the user to consecutively reuse extensive portions of passwords, this increases the chances of password compromise by increasing the window of opportunity for attempts at guessing and brute-force attacks. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. In other words, characters may be the same within the two passwords; however, the positions of the like characters must be different.
Checks: C-37558r614129_chk

Verify the UEM server requires the change of at least 15 of the total number of characters when passwords are changed. If the UEM server does not require the change of at least 15 of the total number of characters when passwords are changed, this is a finding.

Fix: F-37523r614130_fix

Configure the UEM server to require the change of at least 15 of the total number of characters when passwords are changed.

b
For UEM server using password authentication, the application must store only cryptographic representations of passwords.
IA-5 - Medium - CCI-000196 - V-234374 - SV-234374r879608_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000196
Version
SRG-APP-000171-UEM-000101
Vuln IDs
  • V-234374
Rule IDs
  • SV-234374r879608_rule
Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read and easily compromised. Use of passwords for authentication is intended only for limited situations and should not be used as a replacement for two-factor CAC-enabled authentication. Examples of situations where a user ID and password might be used include: - When the user does not use a CAC and is not a current DoD employee, member of the military, or DoD contractor. - When a user has been officially designated as temporarily unable to present a CAC for some reason (lost, damaged, not yet issued, broken card reader) (i.e., Temporary Exception User) and to satisfy urgent organizational needs must be temporarily permitted to use user ID/password authentication until the problem with CAC use has been remedied. - When the application is publicly available and or hosting publicly releasable data requiring some degree of need-to-know protection. If the password is already encrypted and not a plaintext password, this meets this requirement. Implementation of this requirement requires configuration of FIPS-approved cipher block algorithm and block cipher modes for encryption. This method uses a one-way hashing encryption algorithm with a salt value to validate a user's password without having to store the actual password. Performance and time required to access are factors that must be considered, and the one-way hash is the most feasible means of securing the password and providing an acceptable measure of password security. Verifying the user knows a password is performed using a password verifier. In its simplest form, a password verifier is a computational function that is capable of creating a hash of a password and determining if the value provided by the user matches the hash. A more secure version of verifying a user knowing a password is to store the result of an iterating hash function and a large random salt value as follows: H0 = H(pwd, H(salt)) Hn = H(Hn-1,H(salt)) In the above, "n" is a cryptographically-strong random [*3] number. "Hn" is stored along with the salt. When the application wishes to verify that the user knows a password, it simply repeats the process and compares "Hn" with the stored "Hn". A salt is essentially a fixed-length cryptographically strong random value. Another method is using a keyed-hash message authentication code (HMAC). HMAC calculates a message authentication code via a cryptographic hash function used in conjunction with an encryption key. The key must be protected as with any private key. This requirement applies to all accounts including authentication server, AAA, and local account, including the root account and the account of last resort. Satisfies:FMT_SMF.1(2)b Reference:PP-MDM-431008
Checks: C-37559r614132_chk

If the UEM server is using password authentication, verify the server stores only cryptographic representations of passwords. If the UEM server is using password authentication but does not store only cryptographic representations of passwords, this is a finding.

Fix: F-37524r614133_fix

For a UEM server using password authentication, configure the server to store only cryptographic representations of passwords.

c
For UEM server using password authentication, the network element must use FIPS-validated SHA-2 or later protocol to protect the integrity of the password authentication process.
IA-5 - High - CCI-000197 - V-234375 - SV-234375r879609_rule
RMF Control
IA-5
Severity
High
CCI
CCI-000197
Version
SRG-APP-000172-UEM-000102
Vuln IDs
  • V-234375
Rule IDs
  • SV-234375r879609_rule
Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. The information system must specify the hash algorithm used for authenticating passwords. Implementation of this requirement requires configuration of FIPS-approved cipher block algorithm and block cipher modes for encryption. Note: Although allowed by SP800-131Ar1 for some applications, SHA-1 is considered a compromised hashing standard and is being phased out of use by industry and government standards. Unless required for legacy use, DoD systems must not be configured to use SHA-1 for integrity of remote access sessions. This requirement applies to all accounts, including authentication server; Authorization, Authentication, and Accounting (AAA); and local accounts such as the root account and the account of last resort. This requirement only applies to components where this is specific to the function of the device (e.g., TLS VPN or ALG). This does not apply to authentication for the purpose of configuring the device itself (management). Satisfies:FIA_ENR_EXT.1.1, FCS_COP.1.1(2) Refinement
Checks: C-37560r614135_chk

For UEM server using password authentication, verify the network element uses FIPS-validated SHA-2 or later protocol to protect the integrity of the password authentication process. If UEM server using password authentication but the network element does not use FIPS-validated SHA-2 or later protocol to protect the integrity of the password authentication process, this is a finding.

Fix: F-37525r614136_fix

For a UEM server using password authentication, configure the network element to use FIPS-validated SHA-2 or later protocol to protect the integrity of the password authentication process.

b
The UEM server must enforce 24 hours/1 day as the minimum password lifetime.
IA-5 - Medium - CCI-000198 - V-234376 - SV-234376r879610_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000198
Version
SRG-APP-000173-UEM-000103
Vuln IDs
  • V-234376
Rule IDs
  • SV-234376r879610_rule
Enforcing a minimum password lifetime helps prevent repeated password changes to defeat the password reuse or history enforcement requirement. Restricting this setting limits the user's ability to change their password. Passwords need to be changed at specific policy based intervals; however, if the application allows the user to immediately and continually change their password, then the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse. Satisfies:FMT_SMF.1(2)b Reference:PP-MDM-431023
Checks: C-37561r614138_chk

Verify the UEM server enforces 24 hours/1 day as the minimum password lifetime. If the UEM server does not enforce 24 hours/1 day as the minimum password lifetime, this is a finding.

Fix: F-37526r614139_fix

Configure the UEM server to enforce 24 hours/1 day as the minimum password lifetime.

b
The UEM server must enforce a 60-day maximum password lifetime restriction.
IA-5 - Medium - CCI-000199 - V-234377 - SV-234377r879611_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000199
Version
SRG-APP-000174-UEM-000104
Vuln IDs
  • V-234377
Rule IDs
  • SV-234377r879611_rule
Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed at specific intervals. One method of minimizing this risk is to use complex passwords and periodically change them. If the application does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the system and/or application passwords could be compromised. This requirement does not include emergency administration accounts, which are meant for access to the application in case of failure. These accounts are not required to have maximum password lifetime restrictions. Satisfies:FMT_SMF.1(2)b Reference:PP-MDM-431024
Checks: C-37562r614141_chk

Verify the UEM server enforces a 60-day maximum password lifetime restriction. If the UEM server does not enforce a 60-day maximum password lifetime restriction, this is a finding.

Fix: F-37527r614142_fix

Configure the UEM server to enforce a 60-day maximum password lifetime restriction.

b
When using PKI-based authentication for user access, the UEM server must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.
IA-5 - Medium - CCI-000185 - V-234378 - SV-234378r879612_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000185
Version
SRG-APP-000175-UEM-000105
Vuln IDs
  • V-234378
Rule IDs
  • SV-234378r879612_rule
Without path validation, an informed trust decision by the relying party cannot be made when presented with any certificate not already explicitly trusted. To meet this requirement, the information system must create trusted channels between itself and remote trusted authorized IT product (e.g., syslog server) entities that protect the confidentiality and integrity of communications. The information system must create trusted paths between itself and remote administrators and users that protect the confidentiality and integrity of communications. A trust anchor is an authoritative entity represented via a public key and associated data. It is most often used in the context of public key infrastructures, X.509 digital certificates, and DNSSEC. However, applications that do not use a trusted path are not approved for non-local and remote management of DoD information systems. Use of SSHv2 to establish a trusted channel is approved. Use of FTP, TELNET, HTTP, and SNMPV1 is not approved since they violate the trusted channel rule set. Use of web management tools that are not validated by common criteria my also violate trusted channel rule set. When there is a chain of trust, usually the top entity to be trusted becomes the trust anchor; it can be, for example, a Certification Authority (CA). A certification path starts with the subject certificate and proceeds through a number of intermediate certificates up to a trusted root certificate, typically issued by a trusted CA. This requirement verifies that a certification path to an accepted trust anchor is used for certificate validation and that the path includes status information. Path validation is necessary for a relying party to make an informed trust decision when presented with any certificate not already explicitly trusted. Status information for certification paths includes certificate revocation lists or online certificate status protocol responses. Validation of the certificate status information is out of scope for this requirement. Satisfies:FIA_X509_EXT.1.1(1), FIA_X509_EXT.2.1, FIA_X509_EXT.2.2
Checks: C-37563r614144_chk

Requirement is Not Applicable when UEM server is configured to use DoD Central Directory Service for administrator account authentication. When using PKI-based authentication for user access, verify the UEM server validates certificates by constructing a certification path (which includes status information) to an accepted trust anchor. If the UEM server uses PKI-based authentication for user access but does not validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor, this is a finding.

Fix: F-37528r614145_fix

When using PKI-based authentication for user access, configure the UEM server to validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.

b
When the UEM server cannot establish a connection to determine the validity of a certificate, the server must be configured not to have the option to accept the certificate.
IA-5 - Medium - CCI-000185 - V-234379 - SV-234379r879612_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000185
Version
SRG-APP-000175-UEM-000106
Vuln IDs
  • V-234379
Rule IDs
  • SV-234379r879612_rule
When an UEM server accepts an unverified certificate, it may be trusting a malicious actor. For example, messages signed with an invalid certificate may contain links to malware, which could lead to the installation or distribution of that malware on DoD information systems, leading to compromise of DoD sensitive information and other attacks. Satisfies:FIA_X509_EXT.2.2 Reference:PP-MDM-412003
Checks: C-37564r614147_chk

Verify the UEM server does not automatically accept a certificate when it cannot establish a connection to determine the validity of a certificate. If the UEM server automatically accepts a certificate when it cannot establish a connection to determine the validity of a certificate, this is a finding.

Fix: F-37529r614148_fix

Configure the UEM server to not automatically accept a certificate when it cannot establish a connection to determine the validity of a certificate.

b
The UEM server, when using PKI-based authentication, must enforce authorized access to the corresponding private key.
IA-5 - Medium - CCI-000186 - V-234380 - SV-234380r879613_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000186
Version
SRG-APP-000176-UEM-000107
Vuln IDs
  • V-234380
Rule IDs
  • SV-234380r879613_rule
If the private key is discovered, an attacker can use the key to authenticate as an authorized user and gain access to the network infrastructure. The cornerstone of the PKI is the private key used to encrypt or digitally sign information. If the private key is stolen, this will lead to the compromise of the authentication and non-repudiation gained through PKI because the attacker can use the private key to digitally sign documents and pretend to be the authorized user. Both the holders of a digital certificate and the issuing authority must protect the computers, storage devices, or whatever they use to keep the private keys. Satisfies:FIA_X509_EXT.1.1(1)
Checks: C-37565r614150_chk

Requirement is Not Applicable when UEM server is configured to use DoD Central Directory Service for administrator account authentication. Verify the he UEM server, when using PKI-based authentication, enforces authorized access to the corresponding private key. If the UEM server, when using PKI-based authentication, does not enforce authorized access to the corresponding private key, this is a finding

Fix: F-37530r614151_fix

Configure the UEM server, when using PKI-based authentication, to enforce authorized access to the corresponding private key.

b
The UEM server must map the authenticated identity to the individual user or group account for PKI-based authentication.
IA-5 - Medium - CCI-000187 - V-234381 - SV-234381r879614_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000187
Version
SRG-APP-000177-UEM-000108
Vuln IDs
  • V-234381
Rule IDs
  • SV-234381r879614_rule
Without mapping the certificate used to authenticate to the user account, the ability to determine the identity of the individual user or group will not be available for forensic analysis. Satisfies: FIA Reference:PP-MDM-414003
Checks: C-37566r614153_chk

Requirement is Not Applicable when UEM server is configured to use DoD Central Directory Service for administrator account authentication. Verify the UEM server maps the authenticated identity to the individual user or group account for PKI-based authentication. If the UEM server does not map the authenticated identity to the individual user or group account for PKI-based authentication, this is a finding.

Fix: F-37531r614154_fix

Configure the UEM server to map the authenticated identity to the individual user or group account for PKI-based authentication.

b
The UEM server must obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.
IA-6 - Medium - CCI-000206 - V-234382 - SV-234382r879615_rule
RMF Control
IA-6
Severity
Medium
CCI
CCI-000206
Version
SRG-APP-000178-UEM-000109
Vuln IDs
  • V-234382
Rule IDs
  • SV-234382r879615_rule
To prevent the compromise of authentication information such as passwords during the authentication process, the feedback from the information system must not provide any information that would allow an unauthorized user to compromise the authentication mechanism. Obfuscation of user-provided information when typed into the system is a method used in addressing this risk. For example, displaying asterisks when a user types in a password is an example of obscuring feedback of authentication information. Satisfies:FMT_SMF.1(2)b Reference:PP-MDM-431026
Checks: C-37567r614156_chk

Verify the UEM server obscures feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals. If the UEM server does not obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals, this is a finding.

Fix: F-37532r614157_fix

Configure the UEM server to obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.

c
The UEM server must use FIPS-validated SHA-2 or higher hash function to protect the integrity of keyed-hash message authentication code (HMAC), Key Derivation Functions (KDFs), Random Bit Generation, and hash-only applications.
IA-7 - High - CCI-000803 - V-234383 - SV-234383r879616_rule
RMF Control
IA-7
Severity
High
CCI
CCI-000803
Version
SRG-APP-000179-UEM-000110
Vuln IDs
  • V-234383
Rule IDs
  • SV-234383r879616_rule
Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Nonlocal maintenance and diagnostic activities are activities conducted by individuals communicating through either an external network (e.g., the internet) or an internal network. Note: Although allowed by SP800-131Ar1 for some applications, SHA-1 is considered a compromised hashing standard and is being phased out of use by industry and government standards. Unless required for legacy use, DoD systems should not be configured to use SHA-1 for integrity of remote access sessions. To protect the integrity of the authenticator and authentication mechanism used for the cryptographic module used by the network device, the application, operating system, or protocol must be configured to use one of the following hash functions for hashing the password or other authenticator in accordance with SP 800-131Ar1: SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-512/256, SHA3-224, SHA3-256, SHA3-384, and SHA3-512. Applications also include HMAC, KDFs, Random Bit Generation, and hash-only applications (e.g., hashing passwords and use for compute a checksum). For digital signature verification, SP800-131Ar1 allows SHA-1 for legacy use only, but this is discouraged by DoD. Separate requirements for configuring applications and protocols used by each product (e.g., SNMPv3, SSH, NTP, and other protocols and applications that require server/client authentication) are required to implement this requirement. Satisfies:FCS_COP.1.1(2)
Checks: C-37568r614159_chk

Verify the UEM server uses FIPS-validated SHA-2 or higher hash function to protect the integrity of keyed-hash message authentication code (HMAC), Key Derivation Functions (KDFs), Random Bit Generation, and hash-only applications. If the UEM server does not use FIPS-validated SHA-2 or higher hash function to protect the integrity of keyed-hash message authentication code (HMAC), Key Derivation Functions (KDFs), Random Bit Generation, and hash-only applications, this is a finding.

Fix: F-37533r614160_fix

Configure the UEM server to use FIPS-validated SHA-2 or higher hash function to protect the integrity of keyed-hash message authentication code (HMAC), Key Derivation Functions (KDFs), Random Bit Generation, and hash-only applications.

b
The UEM server must be configured to provide a trusted communication channel between itself and authorized IT entities using [selection: -IPsec, -SSH, -mutually authenticated TLS, -mutually authenticated DTLS, -HTTPS].
SC-11 - Medium - CCI-001135 - V-234390 - SV-234390r879623_rule
RMF Control
SC-11
Severity
Medium
CCI
CCI-001135
Version
SRG-APP-000191-UEM-000117
Vuln IDs
  • V-234390
Rule IDs
  • SV-234390r879623_rule
Examples of authorized IT entities: audit server, Active Directory, software update server, and database server. Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session. Nonlocal maintenance and diagnostic activities are activities conducted by individuals communicating through either an external network (e.g., the internet) or an internal network. Satisfies:FTP_ITC.1.1(1) Refinement Reference:PP-MDM-412062
Checks: C-37575r614180_chk

Verify the UEM server provides a trusted communication channel between itself and authorized IT entities using [selection: -IPsec, -SSH, -mutually authenticated TLS, -mutually authenticated DTLS, -HTTPS]. If the UEM server does not provide a trusted communication channel between itself and authorized IT entities using [selection: -IPsec, -SSH, -mutually authenticated TLS, -mutually authenticated DTLS, -HTTPS], this is a finding.

Fix: F-37540r614181_fix

Configure the UEM server to provide a trusted communication channel between itself and authorized IT entities using [selection: -IPsec, -SSH, -mutually authenticated TLS, -mutually authenticated DTLS, -HTTPS].

b
The UEM server must be configured to invoke either host-OS functionality or server functionality to provide a trusted communication channel between itself and remote administrators that provides assured identification of its endpoints and protection of the communicated data from modification and disclosure using [selection:-IPsec,-SSH,-TLS, -HTTPS].
SC-11 - Medium - CCI-001135 - V-234391 - SV-234391r879623_rule
RMF Control
SC-11
Severity
Medium
CCI
CCI-001135
Version
SRG-APP-000191-UEM-000118
Vuln IDs
  • V-234391
Rule IDs
  • SV-234391r879623_rule
Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session. Nonlocal maintenance and diagnostic activities are activities conducted by individuals communicating through either an external network (e.g., the internet) or an internal network. Satisfies:FTP_TRP.1.1(1) Refinement
Checks: C-37576r614183_chk

Verify the UEM server invokes either host-OS functionality or server functionality to provide a trusted communication channel between itself and remote administrators that provides assured identification of its endpoints and protection of the communicated data from modification and disclosure using [selection: -IPsec, -SSH, -TLS, -HTTPS]. If the UEM server does not invoke either host-OS functionality or server functionality to provide a trusted communication channel between itself and remote administrators that provides assured identification of its endpoints and protection of the communicated data from modification and disclosure using [selection: -IPsec, -SSH, -TLS, -HTTPS], this is a finding.

Fix: F-37541r615961_fix

Configure the UEM server to invoke either host-OS functionality or server functionality to provide a trusted communication channel between itself and remote administrators that provides assured identification of its endpoints and protection of the communicated data from modification and disclosure using [selection: -IPsec, -SSH, -TLS, -HTTPS].

b
The UEM server must be configured to invoke either host-OS functionality or server functionality to provide a trusted communication channel between itself and managed devices that provides assured identification of its endpoints and protection of the communicated data from modification and disclosure using [selection:-TLS, -HTTPS].
SC-11 - Medium - CCI-001135 - V-234392 - SV-234392r879623_rule
RMF Control
SC-11
Severity
Medium
CCI
CCI-001135
Version
SRG-APP-000191-UEM-000119
Vuln IDs
  • V-234392
Rule IDs
  • SV-234392r879623_rule
Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session. Nonlocal maintenance and diagnostic activities are activities conducted by individuals communicating through either an external network (e.g., the internet) or an internal network. Satisfies:FTP_TRP.1.1(2) Refinement
Checks: C-37577r614186_chk

Verify the UEM server invokes either host-OS functionality or server functionality to provide a trusted communication channel between itself and managed devices that provides assured identification of its endpoints and protection of the communicated data from modification and disclosure using [selection: -TLS, -HTTPS]. If the UEM server does not invoke either host-OS functionality or server functionality to provide a trusted communication channel between itself and managed devices that provides assured identification of its endpoints and protection of the communicated data from modification and disclosure using [selection: -TLS, -HTTPS], this is a finding.

Fix: F-37542r615963_fix

Configure the UEM server to invoke either host-OS functionality or server functionality to provide a trusted communication channel between itself and managed devices that provides assured identification of its endpoints and protection of the communicated data from modification and disclosure using [selection: -TLS, -HTTPS].

b
The UEM server must protect the authenticity of communications sessions.
SC-23 - Medium - CCI-001184 - V-234405 - SV-234405r879636_rule
RMF Control
SC-23
Severity
Medium
CCI
CCI-001184
Version
SRG-APP-000219-UEM-000132
Vuln IDs
  • V-234405
Rule IDs
  • SV-234405r879636_rule
Authenticity protection provides protection against man-in-the-middle attacks/session hijacking and the insertion of false information into sessions. Application communication sessions are protected utilizing transport encryption protocols, such as TLS. TLS provides web applications with a means to be able to authenticate user sessions and encrypt application traffic. Session authentication can be single (one-way) or mutual (two-way) in nature. Single authentication authenticates the server for the client, whereas mutual authentication provides a means for both the client and the server to authenticate each other. This requirement applies to applications that utilize communications sessions. This includes, but is not limited to, web-based applications and Service-Oriented Architectures (SOA). This requirement addresses communications protection at the application session, versus the network packet, and establishes grounds for confidence at both ends of communications sessions in ongoing identities of other parties and in the validity of information transmitted. Depending on the required degree of confidentiality and integrity, web services/SOA will require the use of TLS mutual authentication (two-way/bidirectional). Satisfies:FIA_ENR_EXT.1.1, FTP_TRP.1.1(2), FTP_TRP.1.1(1)
Checks: C-37590r614225_chk

Verify the UEM server protects the authenticity of communications sessions. If the UEM server does not protect the authenticity of communications sessions, this is a finding.

Fix: F-37555r614226_fix

Configure the UEM server to protect the authenticity of communications sessions.

b
The UEM server must invalidate session identifiers upon user logout or other session termination.
SC-23 - Medium - CCI-001185 - V-234406 - SV-234406r879637_rule
RMF Control
SC-23
Severity
Medium
CCI
CCI-001185
Version
SRG-APP-000220-UEM-000133
Vuln IDs
  • V-234406
Rule IDs
  • SV-234406r879637_rule
Captured sessions can be reused in "replay" attacks. This requirement limits the ability of adversaries from capturing and continuing to employ previously valid session IDs. This requirement focuses on communications protection for the application session rather than for the network packet. This requirement applies to applications that utilize communications sessions. This includes, but is not limited to, web-based applications and Service-Oriented Architectures (SOA). Session IDs are tokens generated by web applications to uniquely identify an application user's session. Applications will make application decisions and execute business logic based on the session ID. Unique session identifiers or IDs are the opposite of sequentially generated session IDs, which can be easily guessed by an attacker. Unique session IDs help to reduce predictability of said identifiers. When a user logs out, or when any other session termination event occurs, the application must terminate the user session to minimize the potential for an attacker to hijack that particular user session.
Checks: C-37591r614228_chk

Verify the UEM server invalidates session identifiers upon user logout or other session termination. If the UEM server does not invalidate session identifiers upon user logout or other session termination, this is a finding.

Fix: F-37556r614229_fix

Configure the UEM server to invalidate session identifiers upon user logout or other session termination.

b
The UEM server must recognize only system-generated session identifiers.
SC-23 - Medium - CCI-001664 - V-234407 - SV-234407r879638_rule
RMF Control
SC-23
Severity
Medium
CCI
CCI-001664
Version
SRG-APP-000223-UEM-000134
Vuln IDs
  • V-234407
Rule IDs
  • SV-234407r879638_rule
Applications utilize sessions and session identifiers to control application behavior and user access. If an attacker can guess the session identifier, or can inject or manually insert session information, the session may be compromised. Unique session IDs address man-in-the-middle attacks, including session hijacking or insertion of false information into a session. If the attacker is unable to identify or guess the session information related to pending application traffic, they will have more difficulty in hijacking the session or otherwise manipulating valid sessions. This requirement focuses on communications protection for the application session rather than for the network packet. This requirement applies to applications that utilize communications sessions. This includes, but is not limited to, web-based applications and Service-Oriented Architectures (SOA).
Checks: C-37592r614231_chk

Verify the UEM server recognizes only system-generated session identifiers. If the UEM server does not recognize only system-generated session identifiers, this is a finding.

Fix: F-37557r614232_fix

Configure the UEM server to recognize only system-generated session identifiers.

c
The UEM server must generate unique session identifiers using a FIPS-validated Random Number Generator (RNG) based on the Deterministic Random Bit Generators (DRBG) algorithm.
SC-23 - High - CCI-001188 - V-234408 - SV-234408r879639_rule
RMF Control
SC-23
Severity
High
CCI
CCI-001188
Version
SRG-APP-000224-UEM-000135
Vuln IDs
  • V-234408
Rule IDs
  • SV-234408r879639_rule
Sequentially generated session IDs can be easily guessed by an attacker. Employing the concept of randomness in the generation of unique session identifiers helps to protect against brute-force attacks to determine future session identifiers. Unique session IDs address man-in-the-middle attacks, including session hijacking or insertion of false information into a session. If the attacker is unable to identify or guess the session information related to pending application traffic, they will have more difficulty in hijacking the session or otherwise manipulating valid sessions. The DRBGs Hash_DRBG, HMAC_DRBG, and CTR_DRBG are recommended for use with RNGs. This requirement is applicable to devices that use a web interface for device management. Satisfies:FCS_RBG_EXT.1.1, FIA_UAU.1.1, FIA_UAU.1.2
Checks: C-37593r614234_chk

Verify the UEM server generates unique session identifiers using a FIPS-validated RNG based on the DRBG algorithm. If the UEM server does not generate unique session identifiers using a FIPS-validated RNG based on the DRBG algorithm, this is a finding.

Fix: F-37558r614235_fix

Configure the UEM server to generate unique session identifiers using a FIPS-validated RNG based on the DRBG algorithm.

b
The UEM server must fail to a secure state if system initialization fails, shutdown fails, or aborts fail.
SC-24 - Medium - CCI-001190 - V-234409 - SV-234409r879640_rule
RMF Control
SC-24
Severity
Medium
CCI
CCI-001190
Version
SRG-APP-000225-UEM-000136
Vuln IDs
  • V-234409
Rule IDs
  • SV-234409r879640_rule
Failure to a known safe state helps prevent systems from failing to a state that may cause loss of data or unauthorized access to system resources. Applications or systems that fail suddenly and with no incorporated failure state planning may leave the hosting system available but with a reduced security protection capability. Preserving information system state information also facilitates system restart and return to the operational mode of the organization with less disruption of mission-essential processes. In general, application security mechanisms should be designed so that a failure will follow the same execution path as disallowing the operation. For example, security methods, such as isAuthorized(), isAuthenticated(), and validate(), should all return false if there is an exception during processing. If security controls can throw exceptions, they must be very clear about exactly what that condition means. Abort refers to stopping a program or function before it has finished naturally. The term abort refers to both requested and unexpected terminations. Satisfies:FPT_TST_EXT.1.2
Checks: C-37594r614237_chk

Verify the UEM server fails to a secure state if system initialization fails, shutdown fails, or aborts fail. If the UEM server does not fail to a secure state if system initialization fails, shutdown fails, or aborts fail, this is a finding.

Fix: F-37559r614238_fix

Configure the UEM server to fail to a secure state if system initialization fails, shutdown fails, or aborts fail.

b
In the event of a system failure, the UEM server must preserve any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to mission processes.
SC-24 - Medium - CCI-001665 - V-234410 - SV-234410r879641_rule
RMF Control
SC-24
Severity
Medium
CCI
CCI-001665
Version
SRG-APP-000226-UEM-000137
Vuln IDs
  • V-234410
Rule IDs
  • SV-234410r879641_rule
Failure to a known state can address safety or security in accordance with the mission/business needs of the organization. Failure to a known secure state helps prevent a loss of confidentiality, integrity, or availability in the event of a failure of the information system or a component of the system. Preserving application state information helps to facilitate application restart and return to the operational mode of the organization with less disruption to mission-essential processes. Satisfies:FAU_GEN.1.1(1)
Checks: C-37595r614240_chk

Verify the UEM server preserves any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to mission processes, in the event of a system failure. If the UEM server does not preserve any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to mission processes, in the event of a system failure, this is a finding.

Fix: F-37560r617413_fix

Configure the UEM server to preserve any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to mission processes, in the event of a system failure.

b
The UEM server must check the validity of all data inputs.
SI-10 - Medium - CCI-001310 - V-234421 - SV-234421r879652_rule
RMF Control
SI-10
Severity
Medium
CCI
CCI-001310
Version
SRG-APP-000251-UEM-000148
Vuln IDs
  • V-234421
Rule IDs
  • SV-234421r879652_rule
Invalid user input occurs when a user inserts data or characters into an application's data entry fields and the application is unprepared to process that data. This results in unanticipated application behavior, potentially leading to an application or information system compromise. Invalid input is one of the primary methods employed when attempting to compromise an application. Checking the valid syntax and semantics of information system inputs (e.g., character set, length, numerical range, and acceptable values) verifies that inputs match specified definitions for format and content. Software applications typically follow well-defined protocols that use structured messages (i.e., commands or queries) to communicate between software modules or system components. Structured messages can contain raw or unstructured data interspersed with metadata or control information. If software applications use attacker-supplied inputs to construct structured messages without properly encoding such messages, then the attacker could insert malicious commands or special characters that can cause the data to be interpreted as control information or metadata. Consequently, the module or component that receives the tainted output will perform the wrong operations or otherwise interpret the data incorrectly. Prescreening inputs prior to passing to interpreters prevents the content from being unintentionally interpreted as commands. Input validation helps to ensure accurate and correct inputs and prevent attacks such as cross-site scripting and a variety of injection attacks.
Checks: C-37606r617398_chk

Verify the UEM server checks the validity of all data inputs. If the UEM server does not check the validity of all data inputs, this is a finding.

Fix: F-37571r614274_fix

Configure the UEM server to check the validity of all data inputs.

b
The UEM server must generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.
SI-11 - Medium - CCI-001312 - V-234424 - SV-234424r879655_rule
RMF Control
SI-11
Severity
Medium
CCI
CCI-001312
Version
SRG-APP-000266-UEM-000151
Vuln IDs
  • V-234424
Rule IDs
  • SV-234424r879655_rule
Any application providing too much information in error messages risks compromising the data and security of the application and system. The structure and content of error messages needs to be carefully considered by the organization and development team. Organizations carefully consider the structure/content of error messages. The extent to which information systems are able to identify and handle error conditions is guided by organizational policy and operational requirements. Information that could be exploited by adversaries includes, for example, erroneous logon attempts with passwords entered by mistake as the username, mission/business information that can be derived from (if not stated explicitly by) information recorded, and personal information, such as account numbers, social security numbers, and credit card numbers. Satisfies:FAU_ALT_EXT.1.1, FPT_TST_EXT.1, FAU_GEN.1.2(1), FIA_UAU.1.2, FMT_SMR.1.1(1)
Checks: C-37609r614282_chk

Verify the UEM server generates error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries. If the UEM server does not generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries, this is a finding.

Fix: F-37574r614283_fix

Configure the UEM server to generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.

b
The UEM server must reveal error messages only to the Information System Security Manager (ISSM) and Information System Security Officer (ISSO).
SI-11 - Medium - CCI-001314 - V-234425 - SV-234425r879656_rule
RMF Control
SI-11
Severity
Medium
CCI
CCI-001314
Version
SRG-APP-000267-UEM-000152
Vuln IDs
  • V-234425
Rule IDs
  • SV-234425r879656_rule
Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the application. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. Satisfies:FPT_TST_EXT.1, FAU_GEN.1.2(1), FIA_UAU.1.2, FMT_SMR.1.1(1)
Checks: C-37610r614285_chk

Verify the UEM server reveals error messages only to the ISSM and ISSO. If the UEM server does not reveal error messages only to the ISSM and ISSO, this is a finding.

Fix: F-37575r614286_fix

Configure the UEM server to reveal error messages only to the ISSM and ISSO.

b
The UEM server must, when a component failure is detected, activate an organization-defined alarm and/or automatically shut down the application or the component.
SI-13 - Medium - CCI-001328 - V-234426 - SV-234426r879657_rule
RMF Control
SI-13
Severity
Medium
CCI
CCI-001328
Version
SRG-APP-000268-UEM-000153
Vuln IDs
  • V-234426
Rule IDs
  • SV-234426r879657_rule
Predictable failure prevention requires organizational planning to address system failure issues. If components key to maintaining systems security fail to function, the system could continue operating in an insecure state. The organization must be prepared and the application must support requirements that specify if the application must alarm for such conditions and/or automatically shut down the application or the system. This can include conducting a graceful application shutdown to avoid losing information. Automatic or manual transfer of components from standby to active mode can occur, for example, upon detection of component failures. Satisfies:FAU_ALT_EXT.1.1, FAU_GEN.1.1(1), FMT_SMF.1.1(2)c.8 Reference:PP-MDM-411065, PP-MDM-412000
Checks: C-37611r614288_chk

Verify the UEM server, when a component failure is detected, activates an organization-defined alarm and/or automatically shuts down the application or the component. If the UEM server, when a component failure is detected, does not activate an organization-defined alarm and/or automatically shut down the application or the component, this is a finding.

Fix: F-37576r614289_fix

Configure the UEM server to activate an organization-defined alarm and/or automatically shut down the application or the component when a component failure is detected.

b
The application must notify the Information System Security Manager (ISSM) and Information System Security Officer (ISSO) of failed security verification tests.
SI-6 - Medium - CCI-001294 - V-234430 - SV-234430r879661_rule
RMF Control
SI-6
Severity
Medium
CCI
CCI-001294
Version
SRG-APP-000275-UEM-000157
Vuln IDs
  • V-234430
Rule IDs
  • SV-234430r879661_rule
If personnel are not notified of failed security verification tests, they will not be able to take corrective action and the unsecure condition(s) will remain. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. Notifications provided by information systems include messages to local computer consoles, and/or hardware indications, such as lights. This requirement applies to applications performing security functions and the applications performing security function verification/testing. Satisfies:FAU_ALT_EXT.1.1, FAU_GEN.1.1(1), FMT_SMF.1.1(2)c.8 Reference:PP-MDM-411065, PP-MDM-412000
Checks: C-37615r614300_chk

Verify the UEM server notifies the ISSO and ISSM of failed security verification tests. If the UEM server does not notify the ISSO and ISSM of failed security verification tests, this is a finding.

Fix: F-37580r614301_fix

Configure the UEM server to notify the ISSO and ISSM of failed security verification tests.

b
The UEM server must notify system administrators and the Information System Security Officer (ISSO) when accounts are created.
AC-2 - Medium - CCI-001683 - V-234438 - SV-234438r879669_rule
RMF Control
AC-2
Severity
Medium
CCI
CCI-001683
Version
SRG-APP-000291-UEM-000165
Vuln IDs
  • V-234438
Rule IDs
  • SV-234438r879669_rule
Once an attacker establishes access to an application, the attacker often attempts to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to simply create a new account. Sending notification of account creation events to the system administrator and ISSO is one method for mitigating this risk. To address access requirements, many application developers choose to integrate their applications with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. Such integration allows the application developer to off-load those access control functions and focus on core application features and functionality. Satisfies:FAU_ALT_EXT.1.1, FAU_GEN.1.1(1), FMT_SMF.1.1(2)c.8 Reference:PP-MDM-411065, PP-MDM-412000
Checks: C-37623r614324_chk

Requirement is Not Applicable when UEM server is configured to use DoD Central Directory Service for administrator account authentication. Verify the UEM server notify system administrators and ISSO when accounts are created. If the UEM server does not notify system administrators and the ISSO when accounts are created, this is a finding.

Fix: F-37588r614325_fix

Configure the UEM server to notify system administrators and the ISSO when accounts are created.

b
The UEM server must notify system administrators and the Information System Security Officer (ISSO) when accounts are modified.
AC-2 - Medium - CCI-001684 - V-234439 - SV-234439r879670_rule
RMF Control
AC-2
Severity
Medium
CCI
CCI-001684
Version
SRG-APP-000292-UEM-000166
Vuln IDs
  • V-234439
Rule IDs
  • SV-234439r879670_rule
When application accounts are modified, user accessibility is affected. Accounts are utilized for identifying individual users or for identifying the application processes themselves. Sending notification of account modification events to the system administrator and ISSO is one method for mitigating this risk. Such a capability greatly reduces the risk that application accessibility will be negatively affected for extended periods of time and also provides logging that can be used for forensic purposes. To address access requirements, many operating systems can be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. Satisfies:FAU_ALT_EXT.1.1, FAU_GEN.1.1(1), FMT_SMF.1.1(2)c.8 Reference:PP-MDM-411065, PP-MDM-412000
Checks: C-37624r614327_chk

Requirement is Not Applicable when UEM server is configured to use DoD Central Directory Service for administrator account authentication. Verify the UEM server notifies system administrators and the ISSO when accounts are modified. If the UEM server does not notify system administrators and the ISSO when accounts are modified, this is a finding.

Fix: F-37589r614328_fix

Configure the UEM server to notify system administrators and the ISSO when accounts are modified.

b
The UEM server must notify system administrators and the Information System Security Officer (ISSO) for account disabling actions.
AC-2 - Medium - CCI-001685 - V-234440 - SV-234440r879671_rule
RMF Control
AC-2
Severity
Medium
CCI
CCI-001685
Version
SRG-APP-000293-UEM-000167
Vuln IDs
  • V-234440
Rule IDs
  • SV-234440r879671_rule
When application accounts are disabled, user accessibility is affected. Accounts are utilized for identifying individual users or for identifying the application processes themselves. Sending notification of account disabling events to the system administrator and ISSO is one method for mitigating this risk. Such a capability greatly reduces the risk that application accessibility will be negatively affected for extended periods of time and also provides logging that can be used for forensic purposes. To address access requirements, many operating systems can be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. Satisfies:FAU_ALT_EXT.1.1, FAU_GEN.1.1(1), FMT_SMF.1.1(2)c.8 Reference:PP-MDM-411065, PP-MDM-412000
Checks: C-37625r614330_chk

Requirement is Not Applicable when UEM server is configured to use DoD Central Directory Service for administrator account authentication. Verify the UEM server notifies system administrators and the ISSO for account disabling actions. If the UEM server does not notify system administrators and the ISSO for account disabling actions, this is a finding.

Fix: F-37590r614331_fix

Configure the UEM server to notify system administrators and the ISSO for account disabling actions.

b
The UEM server must notify system administrators and the Information System Security Officer (ISSO) for account removal actions.
AC-2 - Medium - CCI-001686 - V-234441 - SV-234441r879672_rule
RMF Control
AC-2
Severity
Medium
CCI
CCI-001686
Version
SRG-APP-000294-UEM-000168
Vuln IDs
  • V-234441
Rule IDs
  • SV-234441r879672_rule
When application accounts are removed, user accessibility is affected. Accounts are utilized for identifying users or for identifying the application processes themselves. Sending notification of account removal events to the system administrator and ISSO is one method for mitigating this risk. Such a capability greatly reduces the risk that application accessibility will be negatively affected for extended periods of time and also provides logging that can be used for forensic purposes. To address access requirements, many operating systems can be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. Satisfies:FAU_ALT_EXT.1.1, FAU_GEN.1.1(1), FMT_SMF.1.1(2)c.8 Reference:PP-MDM-411065, PP-MDM-412000
Checks: C-37626r617414_chk

Requirement is Not Applicable when UEM server is configured to use DoD Central Directory Service for administrator account authentication. Verify the UEM server notifies system administrators and the ISSO for account removal actions. If the UEM server does not notify system administrators and the ISSO for account removal actions, this is a finding.

Fix: F-37591r614334_fix

Configure the UEM server to notify system administrators and the ISSO for account removal actions.

b
The UEM server must automatically terminate a user session after an organization-defined period of user inactivity.
AC-12 - Medium - CCI-002361 - V-234442 - SV-234442r879673_rule
RMF Control
AC-12
Severity
Medium
CCI
CCI-002361
Version
SRG-APP-000295-UEM-000169
Vuln IDs
  • V-234442
Rule IDs
  • SV-234442r879673_rule
Automatic session termination addresses the termination of user-initiated logical sessions in contrast to the termination of network connections that are associated with communications sessions (i.e., network disconnect). A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational information system. Such user sessions can be terminated (and thus terminate user access) without terminating network sessions. Session termination terminates all processes associated with a user's logical session except those processes that are specifically created by the user (i.e., session owner) to continue after the session is terminated. Conditions or trigger events requiring automatic session termination can include, for example, organization-defined periods of user inactivity, targeted responses to certain types of incidents, and time-of-day restrictions on information system use. This capability is typically reserved for specific application system functionality where the system owner, data owner, or organization requires additional assurance. Based upon requirements and events specified by the data or application owner, the application developer must incorporate logic into the application that will provide a control mechanism that disconnects users upon the defined event trigger. The methods for incorporating this requirement will be determined and specified on a case-by-case basis during the application design and development stages. Satisfies:FMT_SMF.1.1(2) b Reference:PP-MDM-431014
Checks: C-37627r614336_chk

Verify the UEM server automatically terminates a user session after an organization-defined period of user inactivity. If the UEM server does not automatically terminate a user session after an organization-defined period of user inactivity, this is a finding.

Fix: F-37592r614337_fix

Configure the UEM server to automatically terminate a user session after an organization-defined period of user inactivity.

b
The UEM server must provide logout capability for user-initiated communication sessions.
AC-12 - Medium - CCI-002363 - V-234443 - SV-234443r879674_rule
RMF Control
AC-12
Severity
Medium
CCI
CCI-002363
Version
SRG-APP-000296-UEM-000170
Vuln IDs
  • V-234443
Rule IDs
  • SV-234443r879674_rule
If a user cannot explicitly end an application session, the session may remain open and be exploited by an attacker; this is referred to as a zombie session. Information resources to which users gain access via authentication include, for example, local workstations, databases, and password-protected websites/web-based services. However, for some types of interactive sessions including, for example, file transfer protocol (FTP) sessions, information systems typically send logout messages as final messages prior to terminating sessions. Satisfies:FMT_SMF.1.1(2) b Reference:PP-MDM-431015
Checks: C-37628r614339_chk

Verify the UEM server provides a logout capability for user-initiated communication sessions. If the UEM server does not provide a logout capability for user-initiated communication sessions, this is a finding.

Fix: F-37593r614340_fix

Configure the UEM server to provide a logout capability for user-initiated communication sessions.

b
The UEM server must display an explicit logout message to users indicating the reliable termination of authenticated communications sessions.
AC-12 - Medium - CCI-002364 - V-234444 - SV-234444r879675_rule
RMF Control
AC-12
Severity
Medium
CCI
CCI-002364
Version
SRG-APP-000297-UEM-000171
Vuln IDs
  • V-234444
Rule IDs
  • SV-234444r879675_rule
If a user cannot explicitly end an application session, the session may remain open and be exploited by an attacker; this is referred to as a zombie session. Users need to be aware of whether or not the session has been terminated. Information resources to which users gain access via authentication include, for example, local workstations, databases, and password-protected websites/web-based services. Logout messages for web page access, for example, can be displayed after authenticated sessions have been terminated. However, for some types of interactive sessions including, for example, file transfer protocol (FTP) sessions, information systems typically send logout messages as final messages prior to terminating sessions.
Checks: C-37629r614342_chk

Verify the UEM server displays an explicit logout message to users indicating the reliable termination of authenticated communications sessions. If the UEM server does not display an explicit logout message to users indicating the reliable termination of authenticated communications sessions, this is a finding.

Fix: F-37594r614343_fix

Configure the UEM server to display an explicit logout message to users indicating the reliable termination of authenticated communications sessions.

b
The UEM server must automatically audit account-enabling actions.
AC-2 - Medium - CCI-002130 - V-234465 - SV-234465r879696_rule
RMF Control
AC-2
Severity
Medium
CCI
CCI-002130
Version
SRG-APP-000319-UEM-000192
Vuln IDs
  • V-234465
Rule IDs
  • SV-234465r879696_rule
Once an attacker establishes access to an application, the attacker often attempts to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to simply enable a new or disabled account. Automatically auditing account enabling actions provides logging that can be used for forensic purposes. To address access requirements, many application developers choose to integrate their applications with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. Such integration allows the application developer to off-load those access control functions and focus on core application features and functionality. Satisfies:FAU_ALT_EXT.1.1, FAU_GEN.1.1(1), FMT_SMF.1.1(2)c.8 Reference:PP-MDM-411065, PP-MDM-412000
Checks: C-37650r614405_chk

Requirement is Not Applicable when the UEM server is configured to use DoD Central Directory Service for administrator account authentication. Verify the UEM server automatically audits account enabling actions. If the UEM server does not automatically audit account enabling actions, this is a finding.

Fix: F-37615r614406_fix

Configure the UEM server to automatically audit account enabling actions.

b
The UEM server must notify system administrator and Information System Security Officer (ISSO) of account enabling actions.
AC-2 - Medium - CCI-002132 - V-234466 - SV-234466r879697_rule
RMF Control
AC-2
Severity
Medium
CCI
CCI-002132
Version
SRG-APP-000320-UEM-000193
Vuln IDs
  • V-234466
Rule IDs
  • SV-234466r879697_rule
Once an attacker establishes access to an application, the attacker often attempts to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to simply enable a new or disabled account. Sending notification of account enabling events to the system administrator and ISSO is one method for mitigating this risk. Such a capability greatly reduces the risk that application accessibility will be negatively affected for extended periods of time and also provides logging that can be used for forensic purposes. In order to detect and respond to events that affect user accessibility and application processing, applications must notify the appropriate individuals so they can investigate the event. To address access requirements, many application developers choose to integrate their applications with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. Such integration allows the application developer to off-load those access control functions and focus on core application features and functionality. Satisfies:FAU_ALT_EXT.1.1, FAU_GEN.1.1(1), FMT_SMF.1.1(2)c.8 Reference:PP-MDM-411065, PP-MDM-412000
Checks: C-37651r851528_chk

Requirement is Not Applicable when the UEM server is configured to use DoD Central Directory Service for administrator account authentication. Verify the UEM server notifies the system administrator and the ISSO of account enabling actions. If the UEM server does not notify the system administrator and the ISSO of account enabling actions, this is a finding.

Fix: F-37616r614409_fix

Configure the UEM server to notify system administrator and the ISSO of account enabling actions.

b
The UEM server must employ an audited override of automated access control mechanisms under organization-defined conditions.
AC-3 - Medium - CCI-002186 - V-234473 - SV-234473r879704_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-002186
Version
SRG-APP-000327-UEM-000200
Vuln IDs
  • V-234473
Rule IDs
  • SV-234473r879704_rule
Successful incident response and auditing relies on timely, accurate system information and analysis in order to allow the organization to identify and respond to potential incidents in a proficient manner. Actions that could adversely impact the system must be audited for forensic analysis. Satisfies:FAU_ALT_EXT.1.1, FAU_GEN.1.1(1), FMT_SMF.1.1(2)c.8 Reference:PP-MDM-411065, PP-MDM-412000
Checks: C-37658r614429_chk

Verify the UEM server employs an audited override of automated access control mechanisms under organization-defined conditions. If the UEM server does not employ an audited override of automated access control mechanisms under organization-defined conditions, this is a finding.

Fix: F-37623r614430_fix

Configure the UEM server to employ an audited override of automated access control mechanisms under organization-defined conditions.

b
The UEM server must be configured to have at least one user in defined administrator roles.
AC-3 - Medium - CCI-002169 - V-234475 - SV-234475r879706_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-002169
Version
SRG-APP-000329-UEM-000202
Vuln IDs
  • V-234475
Rule IDs
  • SV-234475r879706_rule
Having several administrative roles for the UEM server supports separation of duties. This allows administrator-level privileges to be granted granularly, such as giving application management privileges to one group and security policy privileges to another group. This helps prevent administrators from intentionally or inadvertently altering other settings and configurations of which they may not understand or approve, which can weaken overall security and increase the risk of compromise. Defined roles: - Server primary administrator: Responsible for server installation, initial configuration, and maintenance functions. Responsible for the setup and maintenance of security configuration administrator and auditor accounts. Responsible for the maintenance of applications in the MAS. - Security configuration administrator: Responsible for security configuration of the server, defining device user groups, setup and maintenance of device user group administrator accounts, and defining privileges of device user group administrators. - Device user group administrator: Responsible for maintenance of mobile device accounts, including setup, change of account configurations, and account deletion. Responsible for defining which apps user groups or individual users have access to in the MAS. Can only perform administrative functions assigned by the security configuration administrator. - Auditor: Responsible for reviewing and maintaining server and mobile device audit logs. Satisfies:FMT_SMR.1.1(1) Reference:PP-MDM-411058
Checks: C-37660r615068_chk

Verify the UEM server has at least one user in defined administrator roles. If the UEM server does not have at least one user in defined administrator roles, this is a finding.

Fix: F-37625r615069_fix

Configure the UEM server to have at least one user in defined administrator roles.

b
The UEM server must audit the execution of privileged functions.
AC-6 - Medium - CCI-002234 - V-234489 - SV-234489r879720_rule
RMF Control
AC-6
Severity
Medium
CCI
CCI-002234
Version
SRG-APP-000343-UEM-000216
Vuln IDs
  • V-234489
Rule IDs
  • SV-234489r879720_rule
Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse, and identify the risk from insider threats and the advanced persistent threat. Satisfies:FAU_GEN.1.1(1), b.
Checks: C-37674r615110_chk

Verify the UEM server audits the execution of privileged functions. If the UEM server does not audit the execution of privileged functions, this is a finding.

Fix: F-37639r615111_fix

Configure the UEM server to audit the execution of privileged functions.

b
The UEM server must automatically lock the account until the locked account is released by an administrator when three unsuccessful login attempts in 15 minutes are exceeded.
AC-7 - Medium - CCI-002238 - V-234491 - SV-234491r879722_rule
RMF Control
AC-7
Severity
Medium
CCI
CCI-002238
Version
SRG-APP-000345-UEM-000218
Vuln IDs
  • V-234491
Rule IDs
  • SV-234491r879722_rule
By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced. Limits are imposed by locking the account. Satisfies:FMT_SMF.1(2)b Reference:PP-MDM-431030
Checks: C-37676r851554_chk

Requirement is Not Applicable when UEM server is configured to use DoD Central Directory Service for administrator account authentication. Verify the UEM server automatically locks the account until the locked account is released by an administrator when three unsuccessful login attempts in 15 minutes are exceeded. If the UEM server does not automatically lock the account until the locked account is released by an administrator when three unsuccessful login attempts in 15 minutes are exceeded, this is a finding.

Fix: F-37641r615117_fix

Configure the UEM server to automatically lock the account until the locked account is released by an administrator when three unsuccessful login attempts in 15 minutes are exceeded.

b
The UEM server must be configured to transfer UEM server logs to another server for storage, analysis, and reporting. Note: UEM server logs include logs of UEM events and logs transferred to the UEM server by UEM agents of managed devices.
AU-4 - Medium - CCI-001851 - V-234500 - SV-234500r879731_rule
RMF Control
AU-4
Severity
Medium
CCI
CCI-001851
Version
SRG-APP-000358-UEM-000228
Vuln IDs
  • V-234500
Rule IDs
  • SV-234500r879731_rule
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. Note: UEM server logs include logs of UEM events and logs transferred to the UEM server by UEM agents of managed devices. Satisfies:FMT_SMF.1.1(2) c.8, FAU_STG_EXT.1.1(1) Reference:PP-MDM-411054
Checks: C-37685r851564_chk

Verify the UEM server transfers UEM server logs to another server for storage, analysis, and reporting. If the UEM server does not transfer UEM server logs to another server for storage, analysis, and reporting, this is a finding. Note: UEM server logs include logs of UEM events and logs transferred to the UEM server by UEM agents of managed devices.

Fix: F-37650r615144_fix

Configure the UEM server to be configured to transfer UEM server logs to another server for storage, analysis, and reporting. Note: UEM server logs include logs of UEM events and logs transferred to the UEM server by UEM agents of managed devices.

b
The UEM server must be configured to record time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).
AU-8 - Medium - CCI-001890 - V-234516 - SV-234516r879747_rule
RMF Control
AU-8
Severity
Medium
CCI
CCI-001890
Version
SRG-APP-000374-UEM-000244
Vuln IDs
  • V-234516
Rule IDs
  • SV-234516r879747_rule
If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis. Time stamps generated by the application include date and time. Time is commonly expressed in UTC, a modern continuation of GMT, or local time with an offset from UTC. Satisfies:FAU_GEN.1.2(1)
Checks: C-37701r615191_chk

Verify the UEM server records time stamps for audit records that can be mapped to UTC or GMT. If the UEM server does not record time stamps for audit records that can be mapped to UTC or GMT, this is a finding.

Fix: F-37666r615192_fix

Configure the UEM server to be configured to record time stamps for audit records that can be mapped to UTC or GMT.

b
The UEM server must be configured to record time stamps for audit records that meet a granularity of one second for a minimum degree of precision.
AU-8 - Medium - CCI-001889 - V-234517 - SV-234517r879748_rule
RMF Control
AU-8
Severity
Medium
CCI
CCI-001889
Version
SRG-APP-000375-UEM-000245
Vuln IDs
  • V-234517
Rule IDs
  • SV-234517r879748_rule
Without sufficient granularity of time stamps, it is not possible to adequately determine the chronological order of records. Time stamps generated by the application include date and time. Granularity of time measurements refers to the degree of synchronization between information system clocks and reference clocks.
Checks: C-37702r851582_chk

Verify the UEM server records time stamps for audit records that meet a granularity of one second for a minimum degree of precision. If the UEM server does not record time stamps for audit records that meet a granularity of one second for a minimum degree of precision, this is a finding.

Fix: F-37667r615195_fix

Configure the UEM server to be configured to record time stamps for audit records that meet a granularity of one second for a minimum degree of precision.

b
The UEM server must verify the digital signature of software before installation and alert the Information System Security Officer (ISSO), Information System Security Manager (ISSM), and other designated personnel if unauthorized software is detected.
CM-11 - Medium - CCI-001811 - V-234519 - SV-234519r879750_rule
RMF Control
CM-11
Severity
Medium
CCI
CCI-001811
Version
SRG-APP-000377-UEM-000247
Vuln IDs
  • V-234519
Rule IDs
  • SV-234519r879750_rule
Unauthorized software not only increases risk by increasing the number of potential vulnerabilities, it also can contain malicious code. Sending an alert (in real time) when unauthorized software is detected allows designated personnel to take action on the installation of unauthorized software. This requirement applies to configuration management applications or similar types of applications designed to manage system processes and configurations (e.g., HBSS and software wrappers). Satisfies:FPT_TUD_EXT.1.3
Checks: C-37704r851585_chk

Verify the UEM server verifies the digital signature of software before installation and alert the ISSM, ISSO, and other designated personnel if unauthorized software is detected. If the UEM server does not verify the digital signature of software before installation and alert the ISSM, ISSO, and other designated personnel if unauthorized software is detected, this is a finding.

Fix: F-37669r615201_fix

Configure the UEM server to verify the digital signature of software before installation and alert the ISSM, ISSO, and other designated personnel if unauthorized software is detected.

b
The UEM server must prohibit user installation of software by an administrator without the appropriate assigned permission for software installation.
CM-11 - Medium - CCI-001812 - V-234520 - SV-234520r879751_rule
RMF Control
CM-11
Severity
Medium
CCI
CCI-001812
Version
SRG-APP-000378-UEM-000248
Vuln IDs
  • V-234520
Rule IDs
  • SV-234520r879751_rule
Allowing regular users to install software, without explicit privileges, creates the risk that untested or potentially malicious software will be installed on the system. Explicit privileges (escalated or administrative privileges) provide the regular user with explicit capabilities and control that exceeds the rights of a regular user. Application functionality will vary, and while users are not permitted to install unapproved applications, there may be instances where the organization allows the user to install approved software packages such as from an approved software repository. The application must enforce software installation by users based upon what types of software installations are permitted (e.g., updates and security patches to existing software) and what types of installations are prohibited (e.g., software whose pedigree with regard to being potentially malicious is unknown or suspect) by the organization. This requirement applies, for example, to applications that provide the ability to extend application functionality (e.g., plug-ins, add-ons) and software management applications. Satisfies:FPT_TUD_EXT.1.2
Checks: C-37705r851587_chk

Verify the UEM server prohibits user installation of software by an administrator without the appropriate assigned permission for software installation. If the UEM server does not prohibit user installation of software by an administrator without the appropriate assigned permission for software installation, this is a finding.

Fix: F-37670r615204_fix

Configure the UEM server to prohibit user installation of software by an administrator without the appropriate assigned permission for software installation.

b
The UEM server must be configured to only allow enrolled devices that are compliant with UEM policies and assigned to a user in the application access group to download applications.
CM-11 - Medium - CCI-001812 - V-234521 - SV-234521r879751_rule
RMF Control
CM-11
Severity
Medium
CCI
CCI-001812
Version
SRG-APP-000378-UEM-000249
Vuln IDs
  • V-234521
Rule IDs
  • SV-234521r879751_rule
If the application install policy is not enforced, malicious applications and vulnerable applications can be installed on managed mobile devices, which could compromise DoD data. Satisfies:FMT_MOF.1.1(3) Reference:PP-MDM-423206
Checks: C-37706r851589_chk

Verify the UEM server allows only enrolled devices that are compliant with UEM policies and assigned to a user in the application access group to download applications. If the UEM server does not allow only enrolled devices that are compliant with UEM policies and assigned to a user in the application access group to download applications, this is a finding.

Fix: F-37671r615207_fix

Configure the UEM server to allow only enrolled devices that are compliant with UEM policies and assigned to a user in the application access group to download applications.

b
The UEM server must enforce access restrictions associated with changes to the server configuration.
CM-5 - Medium - CCI-001813 - V-234523 - SV-234523r879753_rule
RMF Control
CM-5
Severity
Medium
CCI
CCI-001813
Version
SRG-APP-000380-UEM-000251
Vuln IDs
  • V-234523
Rule IDs
  • SV-234523r879753_rule
Failure to provide logical access restrictions associated with changes to application configuration may have significant effects on the overall security of the system. When dealing with access restrictions pertaining to change control, it should be noted that any changes to the hardware, software, and/or firmware components of the information system and/or application can potentially have significant effects on the overall security of the system. Accordingly, only qualified and authorized individuals should be allowed to obtain access to application components for the purposes of initiating changes, including upgrades and modifications. Logical access restrictions include, for example, controls that restrict access to workflow automation, media libraries, abstract layers (e.g., changes implemented into third-party interfaces rather than directly into information systems), and change windows (e.g., changes occur only during specified times, making unauthorized changes easy to discover). Satisfies:FMT_SMR.1.1(1)
Checks: C-37708r615212_chk

Verify the UEM server enforces access restrictions associated with changes to the server configuration. If the UEM server does not enforce access restrictions associated with changes to the server configuration, this is a finding.

Fix: F-37673r615213_fix

Configure the UEM server to enforce access restrictions associated with changes to the server configuration.

b
The UEM server must audit the enforcement actions used to restrict access associated with changes to the application.
CM-5 - Medium - CCI-001814 - V-234524 - SV-234524r879754_rule
RMF Control
CM-5
Severity
Medium
CCI
CCI-001814
Version
SRG-APP-000381-UEM-000252
Vuln IDs
  • V-234524
Rule IDs
  • SV-234524r879754_rule
Without auditing the enforcement of access restrictions against changes to the application configuration, it will be difficult to identify attempted attacks and an audit trail will not be available for forensic investigation for after-the-fact actions. Enforcement actions are the methods or mechanisms used to prevent unauthorized changes to configuration settings. Enforcement action methods may be as simple as denying access to a file based on the application of file permissions (access restriction). Audit items may consist of lists of actions blocked by access restrictions or changes identified after the fact. Satisfies:FAU_ALT_EXT.1.1, FAU_GEN.1.1(1), FMT_SMF.1.1(2)c.8 Reference:PP-MDM-411065, PP-MDM-412000
Checks: C-37709r851593_chk

Verify the UEM server audits the enforcement actions used to restrict access associated with changes to the application. If the UEM server does not audit the enforcement actions used to restrict access associated with changes to the application, this is a finding.

Fix: F-37674r615216_fix

Configure the UEM server to audit the enforcement actions used to restrict access associated with changes to the application.

b
The UEM server must disable organization-defined functions, ports, protocols, and services (within the application) deemed unnecessary and/or non-secure.
CM-7 - Medium - CCI-001762 - V-234526 - SV-234526r879756_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-001762
Version
SRG-APP-000383-UEM-000254
Vuln IDs
  • V-234526
Rule IDs
  • SV-234526r879756_rule
Removal of unneeded or non-secure functions, ports, protocols, and services mitigate the risk of unauthorized connection of devices, unauthorized transfer of information, or other exploitation of these resources. Examples include unneeded listening ports. The organization must perform a periodic scan/review of the application (as required by CCI-000384) and disable functions, ports, protocols, and services deemed to be unneeded or non-secure. Satisfies:FMT_SMF.1.1(2) Refinement b Reference:PP-MDM-431006
Checks: C-37711r851596_chk

Verify the UEM server disables organization-defined functions, ports, protocols, and services (within the application) deemed unnecessary and/or non-secure. If the UEM server does not disable organization-defined functions, ports, protocols, and services (within the application) deemed unnecessary and/or non-secure, this is a finding.

Fix: F-37676r615222_fix

Configure the UEM server to disable organization-defined functions, ports, protocols, and services (within the application) deemed unnecessary and/or non-secure.

b
The UEM server must require users (administrators) to reauthenticate when roles change.
IA-11 - Medium - CCI-002038 - V-234532 - SV-234532r879762_rule
RMF Control
IA-11
Severity
Medium
CCI
CCI-002038
Version
SRG-APP-000389-UEM-000260
Vuln IDs
  • V-234532
Rule IDs
  • SV-234532r879762_rule
Without reauthentication, users may access resources or perform tasks for which they do not have authorization. When applications provide the capability to change security roles or escalate the functional capability of the application, it is critical the user reauthenticate. In addition to the reauthentication requirements associated with session locks, organizations may require reauthentication of individuals and/or devices in other situations, including (but not limited to) the following circumstances. (i) When authenticators change; (ii) When roles change; (iii) When security categories of information systems change; (iv) When the execution of privileged functions occurs; (v) After a fixed period of time; or (vi) Periodically. Within the DoD, the minimum circumstances requiring reauthentication are privilege escalation and role changes. Satisfies:FMT_SMF.1.1(2) b Reference:PP-MDM-431016
Checks: C-37717r615239_chk

Verify the UEM server requires users (administrators) to reauthenticate when roles change. If the UEM server does not require users (administrators) to reauthenticate when roles change, this is a finding.

Fix: F-37682r615240_fix

Configure the UEM server to require users (administrators) to reauthenticate when roles change.

b
The UEM server must require end-point devices to reauthenticate when organization-defined circumstances or situations requiring reauthentication.
IA-11 - Medium - CCI-002039 - V-234533 - SV-234533r879763_rule
RMF Control
IA-11
Severity
Medium
CCI
CCI-002039
Version
SRG-APP-000390-UEM-000261
Vuln IDs
  • V-234533
Rule IDs
  • SV-234533r879763_rule
This requirement refers to the end-point device user reauthenticating to the device. The following are examples of organization-defined circumstances or situations requiring reauthentication: (i) After a screen lock; (ii) After device reboot; (iii) Before installation of new device policy or profile; (iv) Before executing a device reset or wipe. Satisfies:FMT_SMF.1.1(2) b Reference:PP-MDM-431016
Checks: C-37718r851604_chk

Verify the UEM server requires end-point devices to reauthenticate when organization-defined circumstances or situations requiring reauthentication. If the UEM server does not require end-point devices to reauthenticate when organization-defined circumstances or situations requiring reauthentication, this is a finding.

Fix: F-37683r615243_fix

Configure the UEM server to require end-point devices to reauthenticate when organization-defined circumstances or situations requiring reauthentication.

c
Before establishing a connection to any endpoint device being managed, the UEM server must establish a trusted path between the server and endpoint that provides assured identification of the end point using a bidirectional authentication mechanism configured with a FIPS-validated Advanced Encryption Standard (AES) cipher block algorithm to authenticate with the device.
IA-3 - High - CCI-001967 - V-234538 - SV-234538r879768_rule
RMF Control
IA-3
Severity
High
CCI
CCI-001967
Version
SRG-APP-000395-UEM-000266
Vuln IDs
  • V-234538
Rule IDs
  • SV-234538r879768_rule
Without device-to-device authentication, communications with malicious devices may be established. Bidirectional authentication provides stronger safeguards to validate the identity of other devices for connections that are of greater risk. Currently, DoD requires the use of AES for bidirectional authentication since it is the only FIPS-validated AES cipher block algorithm. For distributed architectures (e.g., service-oriented architectures), the decisions regarding the validation of authentication claims may be made by services separate from the services acting on those decisions. In such situations, it is necessary to provide authentication decisions (as opposed to the actual authenticators) to the services that need to act on those decisions. A local connection is any connection with a device communicating without the use of a network. A network connection is any connection with a device that communicates through a network (e.g., local area or wide area network; the internet). A remote connection is any connection with a device communicating through an external network (e.g., the internet). Because of the challenges of applying this requirement on a large scale, organizations are encouraged to apply the requirement only to those limited number (and type) of devices that truly need to support this capability. Satisfies:FIA_X509_EXT.1(1), FIA_ENR_EXT.1.1
Checks: C-37723r851610_chk

Verify the UEM server establishes a trusted path between the server and endpoint that provides assured identification of the end point using a bidirectional authentication mechanism configured with a FIPS-validated Advanced Encryption Standard (AES) cipher block algorithm to authenticate with the device before establishing a connection to any endpoint device being managed. If the UEM server does not establish a trusted path between the server and endpoint that provides assured identification of the end point using a bidirectional authentication mechanism configured with a FIPS-validated Advanced Encryption Standard (AES) cipher block algorithm to authenticate with the device before establishing a connection to any endpoint device being managed, this is a finding.

Fix: F-37688r878109_fix

Configure the UEM server to establish a trusted path between the server and endpoint that provides assured identification of the end point using a bidirectional authentication mechanism configured with a FIPS-validated Advanced Encryption Standard (AES) cipher block algorithm to authenticate with the device before establishing a connection to any endpoint device being managed.

b
The UEM server must prohibit the use of cached authenticators after an organization-defined time period.
IA-5 - Medium - CCI-002007 - V-234543 - SV-234543r879773_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-002007
Version
SRG-APP-000400-UEM-000271
Vuln IDs
  • V-234543
Rule IDs
  • SV-234543r879773_rule
If cached authentication information is out-of-date, the validity of the authentication information may be questionable. According to the CNSS 1253, the IA-5(13) control which is tied to this requirement is not defined at the DoD-level. The organization should specify this value based on numerous factors, including the application in question, the data it hosts and the associated exposures/risks.
Checks: C-37728r851617_chk

Requirement is Not Applicable when the UEM server is configured to use DoD Central Directory Service for administrator account authentication. Verify the UEM server prohibits the use of cached authenticators after an organization-defined time period. If the UEM server does not prohibit the use of cached authenticators after an organization-defined time period, this is a finding.

Fix: F-37693r615273_fix

Configure the UEM server to prohibit the use of cached authenticators after an organization-defined time period.

b
The UEM server, for PKI-based authentication, must implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network.
IA-5 - Medium - CCI-001991 - V-234544 - SV-234544r879774_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-001991
Version
SRG-APP-000401-UEM-000272
Vuln IDs
  • V-234544
Rule IDs
  • SV-234544r879774_rule
Without configuring a local cache of revocation data, there is the potential to allow access to users who are no longer authorized (users with revoked certificates).
Checks: C-37729r851619_chk

Verify the UEM server, for PKI-based authentication, implements a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network. If the UEM server, for PKI-based authentication, does not implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network, this is a finding.

Fix: F-37694r615276_fix

Configure the UEM server to implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network for PKI-based authentication.

c
The UEM server must configure web management tools with FIPS-validated Advanced Encryption Standard (AES) cipher block algorithm to protect the confidentiality of maintenance and diagnostic communications for nonlocal maintenance sessions.
MA-4 - High - CCI-003123 - V-234555 - SV-234555r879785_rule
RMF Control
MA-4
Severity
High
CCI
CCI-003123
Version
SRG-APP-000412-UEM-000283
Vuln IDs
  • V-234555
Rule IDs
  • SV-234555r879785_rule
Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session. Nonlocal maintenance and diagnostic activities are activities conducted by individuals communicating through either an external network (e.g., the internet) or an internal network.
Checks: C-37740r851630_chk

Verify the UEM server web management tools use a FIPS-validated Advanced Encryption Standard (AES) cipher block algorithm to protect the confidentiality of maintenance and diagnostic communications for nonlocal maintenance sessions. If the UEM server web management tools do not use FIPS-validated Advanced Encryption Standard (AES) cipher block algorithms to protect the confidentiality of maintenance and diagnostic communications for nonlocal maintenance sessions, this is a finding.

Fix: F-37705r615309_fix

Configure the UEM server web management tools with a FIPS-validated Advanced Encryption Standard (AES) cipher block algorithm to protect the confidentiality of maintenance and diagnostic communications for nonlocal maintenance sessions.

b
The UEM server must verify remote disconnection when non-local maintenance and diagnostic sessions are terminated.
MA-4 - Medium - CCI-002891 - V-234556 - SV-234556r879786_rule
RMF Control
MA-4
Severity
Medium
CCI
CCI-002891
Version
SRG-APP-000413-UEM-000284
Vuln IDs
  • V-234556
Rule IDs
  • SV-234556r879786_rule
If the remote connection is not closed and verified as closed, the session may remain open and be exploited by an attacker; this is referred to as a zombie session. Remote connections must be disconnected and verified as disconnected when non-local maintenance sessions have been terminated and are no longer available for use.
Checks: C-37741r851632_chk

Verify the UEM server verifies remote disconnection when non-local maintenance and diagnostic sessions are terminated. If the UEM server does not verify remote disconnection when non-local maintenance and diagnostic sessions are terminated, this is a finding.

Fix: F-37706r615312_fix

Configure the UEM server to verify remote disconnection when non-local maintenance and diagnostic sessions are terminated.

b
The UEM server must only allow the use of DoD PKI established certificate authorities for verification of the establishment of protected sessions.
SC-23 - Medium - CCI-002470 - V-234573 - SV-234573r879798_rule
RMF Control
SC-23
Severity
Medium
CCI
CCI-002470
Version
SRG-APP-000427-UEM-000298
Vuln IDs
  • V-234573
Rule IDs
  • SV-234573r879798_rule
Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DoD systems or by organizations with insufficient security controls. If the CA used for verifying the certificate is not a DoD-approved CA, trust of this CA has not been established. The DoD will only accept PKI certificates obtained from a DoD-approved internal or external certificate authority. Reliance on CAs for the establishment of secure sessions includes, for example, the use of TLS certificates. This requirement focuses on communications protection for the application session rather than for the network packet. This requirement applies to applications that utilize communications sessions. This includes, but is not limited to, web-based applications and Service-Oriented Architectures (SOA). Satisfies:FIA_X509_EXT.1.1(1)
Checks: C-37758r851645_chk

Verify the UEM server allows only DoD-PKI established certificate authorities for verification of the establishment of protected sessions. If the UEM server does not allow only DoD-PKI established certificate authorities for verification of the establishment of protected sessions, this is a finding.

Fix: F-37723r615354_fix

Configure the UEM server to allow only DoD-PKI established certificate authorities for verification of the establishment of protected sessions.

b
The UEM server must be configured to use X.509v3 certificates for code signing for system software updates.
SC-23 - Medium - CCI-002470 - V-234574 - SV-234574r879798_rule
RMF Control
SC-23
Severity
Medium
CCI
CCI-002470
Version
SRG-APP-000427-UEM-000299
Vuln IDs
  • V-234574
Rule IDs
  • SV-234574r879798_rule
It is critical that the UEM server validate code signing certificates for key activities such as code signing for system software updates, code signing for integrity verification, and policy signing. Otherwise, there is no assurance that a malicious actor has not inserted itself in the process of packaging the code or policy. For example, messages signed with an invalid certificate may contain links to malware, which could lead to the installation or distribution of that malware on DoD information systems, leading to compromise of DoD sensitive information and other attacks. Therefore, the MDM server must have the capability to enforce a policy for this control. Satisfies:FMT_SMF.1.1(2) c.8, FIA_X509_EXT.2.1 Reference:PP-MDM-412002
Checks: C-37759r615356_chk

Verify the UEM server uses X.509v3 certificates for code signing for system software updates. If the UEM server does not use X.509v3 certificates for code signing for system software updates, this is a finding.

Fix: F-37724r615357_fix

Configure the UEM server to use X.509v3 certificates for code signing for system software updates.

b
The UEM server must be configured to use X.509v3 certificates for code signing for integrity verification.
SC-23 - Medium - CCI-002470 - V-234575 - SV-234575r879798_rule
RMF Control
SC-23
Severity
Medium
CCI
CCI-002470
Version
SRG-APP-000427-UEM-000300
Vuln IDs
  • V-234575
Rule IDs
  • SV-234575r879798_rule
It is critical that the UEM server validate code signing certificates for key activities such as code signing for system software updates, code signing for integrity verification, and policy signing. Otherwise, there is no assurance that a malicious actor has not inserted itself in the process of packaging the code or policy. For example, messages signed with an invalid certificate may contain links to malware, which could lead to the installation or distribution of that malware on DoD information systems, leading to compromise of DoD sensitive information and other attacks. Therefore, the MDM server must have the capability to enforce a policy for this control. Satisfies:FMT_SMF.1.1(2) c.8, FIA_X509_EXT.2.1 Reference:PP-MDM-412002
Checks: C-37760r615359_chk

Verify the UEM server uses X.509v3 certificates for code signing for integrity verification. If the UEM server does not use X.509v3 certificates for code signing for integrity verification, this is a finding.

Fix: F-37725r615360_fix

Configure the UEM server to use X.509v3 certificates for code signing for integrity verification.

c
The UEM server must connect to [assignment: [list of applications]] and managed mobile devices with an authenticated and secure (encrypted) connection to protect the confidentiality and integrity of transmitted information.
SC-8 - High - CCI-002418 - V-234588 - SV-234588r879810_rule
RMF Control
SC-8
Severity
High
CCI
CCI-002418
Version
SRG-APP-000439-UEM-000313
Vuln IDs
  • V-234588
Rule IDs
  • SV-234588r879810_rule
Applications may include the following: update server, database, and enterprise directory service. Without protection of the transmitted information, confidentiality and integrity may be compromised since unprotected communications can be intercepted and either read or altered. This requirement applies only to those applications that are either distributed or can allow access to data non-locally. Use of this requirement will be limited to situations where the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process. When transmitting data, applications need to leverage transmission protection mechanisms, such as TLS, TLS VPNs, or IPSEC. Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa. This requirement applies to any application to which the server connects (for example SQL server, Active Directory). Satisfies:FMT_SMF.1.1(2) b, FTP_ITC.1.1(1), FTP_ITC.1.2(1), FTP_ITC.1.3(1) Reference:PP-MDM-431009
Checks: C-37773r851661_chk

Verify the UEM server connects to applications and managed mobile devices with an authenticated and secure (encrypted) connection to protect the confidentiality and integrity of transmitted information. If the UEM server does not connect to applications and managed mobile devices with an authenticated and secure (encrypted) connection to protect the confidentiality and integrity of transmitted information, this is a finding.

Fix: F-37738r615399_fix

Configure the UEM server to connect to applications and managed mobile devices with an authenticated and secure (encrypted) connection to protect the confidentiality and integrity of transmitted information.

b
The UEM server must be configured to write to the server event log when invalid inputs are received.
SI-10 - Medium - CCI-002754 - V-234596 - SV-234596r879818_rule
RMF Control
SI-10
Severity
Medium
CCI
CCI-002754
Version
SRG-APP-000447-UEM-000321
Vuln IDs
  • V-234596
Rule IDs
  • SV-234596r879818_rule
A common vulnerability of applications is unpredictable behavior when invalid inputs are received. This requirement guards against adverse or unintended system behavior caused by invalid inputs, where information system responses to the invalid input may be disruptive or cause the system to fail into an unsafe state. The behavior will be derived from the organizational and system requirements and includes, but is not limited to, notification of the appropriate personnel, creating an audit record, and rejecting invalid input. Satisfies:FPT_TST_EXT.1.2
Checks: C-37781r615422_chk

Verify the UEM server writes to the server event log when invalid inputs are received. If the UEM server does not write to the server event log when invalid inputs are received, this is a finding.

Fix: F-37746r615423_fix

Configure the UEM server to write to the server event log when invalid inputs are received.

b
The UEM server must remove old software components after updated versions have been installed.
SI-2 - Medium - CCI-002617 - V-234603 - SV-234603r879825_rule
RMF Control
SI-2
Severity
Medium
CCI
CCI-002617
Version
SRG-APP-000454-UEM-000328
Vuln IDs
  • V-234603
Rule IDs
  • SV-234603r879825_rule
Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by adversaries. Some information technology products may remove older versions of software automatically from the information system. If the update is due to a security issue with the old version of the app, the old version is not reinstalled. If rollback files are used by the server, they must be stored so as to not be easily accessible to the production system, or cannot be accidentally installed on the operational system, and then must be deleted after a short period of time defined by the organization.
Checks: C-37788r615443_chk

Verify the UEM server removes old software components after updated versions have been installed. If the UEM server does not remove old software components after updated versions have been installed, this is a finding.

Fix: F-37753r615444_fix

Configure the UEM server to remove old software components after updated versions have been installed.

c
The UEM server must be maintained at a supported version.
SI-2 - High - CCI-002605 - V-234605 - SV-234605r879827_rule
RMF Control
SI-2
Severity
High
CCI
CCI-002605
Version
SRG-APP-000456-UEM-000330
Vuln IDs
  • V-234605
Rule IDs
  • SV-234605r879827_rule
The UEM vendor maintains specific product versions for a specific period of time. MDM/EMM server versions no longer supported by the vendor will not receive security updates for new vulnerabilities, which leaves them subject to exploitation. Satisfies:FPT_TUD_EXT.1.1, FPT_TUD_EXT.1.2 Reference:PP-MDM-414005
Checks: C-37790r615449_chk

Verify the UEM server is maintained at a supported version. If the UEM server is not maintained at a supported version, this is a finding.

Fix: F-37755r615450_fix

Configure the UEM server to be maintained at a supported version.

b
The UEM server must be configured with the periodicity of the following commands to the agent of six hours or less: - query connectivity status - query the current version of the managed device firmware/software - query the current version of installed mobile applications - read audit logs kept by the managed device.
SI-6 - Medium - CCI-002696 - V-234622 - SV-234622r879843_rule
RMF Control
SI-6
Severity
Medium
CCI
CCI-002696
Version
SRG-APP-000472-UEM-000347
Vuln IDs
  • V-234622
Rule IDs
  • SV-234622r879843_rule
Without verification, security functions may not operate correctly and this failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. This requirement applies to applications performing security functions and the applications performing security function verification/testing. Satisfies:FAU_NET_EXT.1.1, FMT_SMF.1.1(2) c.3 Reference:PP-MDM-411057
Checks: C-37807r851696_chk

Verify the UEM server is configured with the periodicity of the following commands to the agent of six hours or less: - query connectivity status; - query the current version of the managed device firmware/software; - query the current version of installed mobile applications; - read audit logs kept by the managed device. If the UEM server is not configured with the periodicity of the following commands to the agent of six hours or less: - query connectivity status; - query the current version of the managed device firmware/software; - query the current version of installed mobile applications; - read audit logs kept by the managed device, this is a finding.

Fix: F-37772r878111_fix

Configure the UEM server with the periodicity of the following commands to the agent of six hours or less: - query connectivity status; - query the current version of the managed device firmware/software; - query the current version of installed mobile applications; - read audit logs kept by the managed device.

b
The UEM server must run a suite of self-tests during initial start-up (power on) to demonstrate correct operation of the server.
SI-6 - Medium - CCI-002699 - V-234623 - SV-234623r879844_rule
RMF Control
SI-6
Severity
Medium
CCI
CCI-002699
Version
SRG-APP-000473-UEM-000348
Vuln IDs
  • V-234623
Rule IDs
  • SV-234623r879844_rule
Without verification, security functions may not operate correctly and this failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. Notifications provided by information systems include, for example, electronic alerts to system administrators, messages to local computer consoles, and/or hardware indications, such as lights. This requirement applies to applications performing security functions and the applications performing security function verification/testing. Satisfies:FPT_TST_EXT.1.1
Checks: C-37808r851699_chk

Verify the UEM server runs a suite of self-tests during initial start-up (power on) to demonstrate correct operation of the server. If the UEM server does not run a suite of self-tests during initial start-up (power on) to demonstrate correct operation of the server, this is a finding.

Fix: F-37773r615504_fix

Configure the UEM server to run a suite of self-tests during initial start-up (power on) to demonstrate correct operation of the server.

b
The UEM server must alert the system administrator when anomalies in the operation of security functions are discovered.
SI-6 - Medium - CCI-002702 - V-234624 - SV-234624r879845_rule
RMF Control
SI-6
Severity
Medium
CCI
CCI-002702
Version
SRG-APP-000474-UEM-000349
Vuln IDs
  • V-234624
Rule IDs
  • SV-234624r879845_rule
If anomalies are not acted upon, security functions may fail to secure the system. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. Notifications provided by information systems include messages to local computer consoles, and/or hardware indications, such as lights. This requirement applies to applications performing security functions and the applications performing security function verification/testing. Satisfies:FAU_ALT_EXT.1.1 c.
Checks: C-37809r851701_chk

Verify the UEM server alerts the system administrator when anomalies in the operation of security functions are discovered. If the UEM server does not alert the system administrator when anomalies in the operation of security functions are discovered, this is a finding.

Fix: F-37774r615507_fix

Configure the UEM server to alert the system administrator when anomalies in the operation of security functions are discovered.

b
The UEM server must be configured to verify software updates to the server using a digital signature mechanism prior to installing those updates.
SI-7 - Medium - CCI-002740 - V-234629 - SV-234629r879850_rule
RMF Control
SI-7
Severity
Medium
CCI
CCI-002740
Version
SRG-APP-000479-UEM-000354
Vuln IDs
  • V-234629
Rule IDs
  • SV-234629r879850_rule
Unauthorized modifications to software or firmware may be indicative of a sophisticated, targeted cyber-attack. Cryptographic authentication includes, for example, verifying that software or firmware components have been digitally signed using certificates recognized and approved by organizations. Code signing is an effective method to protect against malicious code. Satisfies:FPT_TUD_EXT.1.3
Checks: C-37814r851707_chk

Verify the UEM server verifies software updates to the server using a digital signature mechanism prior to installing those updates. If the UEM server does not verify software updates to the server using a digital signature mechanism prior to installing those updates, this is a finding.

Fix: F-37779r615522_fix

Configure the UEM server to verify software updates to the server using a digital signature mechanism prior to installing those updates.

b
The UEM server must generate audit records when successful/unsuccessful attempts to access security objects occur.
AU-12 - Medium - CCI-000172 - V-234642 - SV-234642r879863_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
SRG-APP-000492-UEM-000367
Vuln IDs
  • V-234642
Rule IDs
  • SV-234642r879863_rule
Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies:FAU_ALT_EXT.1.1, FAU_GEN.1.1(1), FMT_SMF.1.1(2)c.8 Reference:PP-MDM-411065, PP-MDM-412000
Checks: C-37827r616011_chk

Verify the UEM server generates audit records when successful/unsuccessful attempts to access security objects occur. If the UEM server does not generate audit records when successful/unsuccessful attempts to access security objects occur, this is a finding.

Fix: F-37792r615561_fix

Configure the UEM server to generate audit records when successful/unsuccessful attempts to access security objects occur.

b
The UEM server must generate audit records when successful/unsuccessful attempts to modify privileges occur.
AU-12 - Medium - CCI-000172 - V-234645 - SV-234645r879866_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
SRG-APP-000495-UEM-000370
Vuln IDs
  • V-234645
Rule IDs
  • SV-234645r879866_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies:FAU_ALT_EXT.1.1, FAU_GEN.1.1(1), FMT_SMF.1.1(2)c.8 Reference:PP-MDM-411065, PP-MDM-412000
Checks: C-37830r617401_chk

Verify the UEM server generates audit records when successful/unsuccessful attempts to modify privileges occur. If the UEM server does not generate audit records when successful/unsuccessful attempts to modify privileges occur, this is a finding.

Fix: F-37795r615570_fix

Configure the UEM server to generate audit records when successful/unsuccessful attempts to modify privileges occur.

b
The UEM server must generate audit records when successful/unsuccessful attempts to modify security objects occur.
AU-12 - Medium - CCI-000172 - V-234646 - SV-234646r879867_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
SRG-APP-000496-UEM-000371
Vuln IDs
  • V-234646
Rule IDs
  • SV-234646r879867_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies:FAU_ALT_EXT.1.1, FAU_GEN.1.1(1), FMT_SMF.1.1(2)c.8 Reference:PP-MDM-411065, PP-MDM-412000
Checks: C-37831r616013_chk

Verify the UEM server generates audit records when successful/unsuccessful attempts to modify security objects occur. If the UEM server does not generate audit records when successful/unsuccessful attempts to modify security objects occur, this is a finding.

Fix: F-37796r615573_fix

Configure the UEM server to generate audit records when successful/unsuccessful attempts to modify security objects occur.

b
The UEM server must generate audit records when successful/unsuccessful attempts to delete privileges occur.
AU-12 - Medium - CCI-000172 - V-234649 - SV-234649r879870_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
SRG-APP-000499-UEM-000374
Vuln IDs
  • V-234649
Rule IDs
  • SV-234649r879870_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies:FAU_ALT_EXT.1.1, FAU_GEN.1.1(1), FMT_SMF.1.1(2)c.8 Reference:PP-MDM-411065, PP-MDM-412000
Checks: C-37834r615581_chk

Verify the UEM server generates audit records when successful/unsuccessful attempts to delete privileges occur. If the UEM server does not generate audit records when successful/unsuccessful attempts to delete privileges occur, this is a finding.

Fix: F-37799r615582_fix

Configure the UEM server to generate audit records when successful/unsuccessful attempts to delete privileges occur.

b
The UEM server must generate audit records when successful/unsuccessful attempts to delete security objects occur.
AU-12 - Medium - CCI-000172 - V-234651 - SV-234651r879872_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
SRG-APP-000501-UEM-000376
Vuln IDs
  • V-234651
Rule IDs
  • SV-234651r879872_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies:FAU_ALT_EXT.1.1, FAU_GEN.1.1(1), FMT_SMF.1.1(2)c.8 Reference:PP-MDM-411065, PP-MDM-412000
Checks: C-37836r616015_chk

Verify the UEM server generates audit records when successful/unsuccessful attempts to delete security objects occur. If the UEM server does not generate audit records when successful/unsuccessful attempts to delete security objects occur, this is a finding.

Fix: F-37801r615588_fix

Configure the UEM server to generate audit records when successful/unsuccessful attempts to delete security objects occur.

b
The UEM server must generate audit records when successful/unsuccessful logon attempts occur.
AU-12 - Medium - CCI-000172 - V-234653 - SV-234653r879874_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
SRG-APP-000503-UEM-000378
Vuln IDs
  • V-234653
Rule IDs
  • SV-234653r879874_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies:FAU_ALT_EXT.1.1, FAU_GEN.1.1(1), FMT_SMF.1.1(2)c.8 Reference:PP-MDM-411065, PP-MDM-412000
Checks: C-37838r615593_chk

Verify the UEM server generates audit records when successful/unsuccessful logon attempts occur. If the UEM server does not generate audit records when successful/unsuccessful logon attempts occur, this is a finding.

Fix: F-37803r615594_fix

Configure the UEM server to generate audit records when successful/unsuccessful logon attempts occur.

b
The UEM server must generate audit records for privileged activities or other system-level access.
AU-12 - Medium - CCI-000172 - V-234654 - SV-234654r879875_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
SRG-APP-000504-UEM-000379
Vuln IDs
  • V-234654
Rule IDs
  • SV-234654r879875_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies:FAU_ALT_EXT.1.1, FAU_GEN.1.1(1), FMT_SMF.1.1(2)c.8 Reference:PP-MDM-411065, PP-MDM-412000
Checks: C-37839r615596_chk

Verify the UEM server generates audit records for privileged activities or other system-level access. If the UEM server does not generate audit records for privileged activities or other system-level access, this is a finding.

Fix: F-37804r615597_fix

Configure the UEM server to generate audit records for privileged activities or other system-level access.

b
The UEM server must generate audit records showing starting and ending time for user access to the system.
AU-12 - Medium - CCI-000172 - V-234655 - SV-234655r879876_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
SRG-APP-000505-UEM-000380
Vuln IDs
  • V-234655
Rule IDs
  • SV-234655r879876_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies:FAU_ALT_EXT.1.1, FAU_GEN.1.1(1), FMT_SMF.1.1(2)c.8 Reference:PP-MDM-411065, PP-MDM-412000
Checks: C-37840r615599_chk

Verify the UEM server generates audit records showing starting and ending time for user access to the system. If the UEM server does not generate audit records showing starting and ending time for user access to the system, this is a finding.

Fix: F-37805r615600_fix

Configure the UEM server to generate audit records showing starting and ending time for user access to the system.

b
The UEM server must generate audit records when concurrent logons from different workstations occur.
AU-12 - Medium - CCI-000172 - V-234656 - SV-234656r879877_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
SRG-APP-000506-UEM-000381
Vuln IDs
  • V-234656
Rule IDs
  • SV-234656r879877_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies:FAU_ALT_EXT.1.1, FAU_GEN.1.1(1), FMT_SMF.1.1(2)c.8 Reference:PP-MDM-411065, PP-MDM-412000
Checks: C-37841r615602_chk

Verify the UEM server generates audit records when concurrent logons from different workstations occur. If the UEM server does not generate audit records when concurrent logons from different workstations occur, this is a finding.

Fix: F-37806r615603_fix

Configure the UEM server to generate audit records when concurrent logons from different workstations occur.

b
The UEM server must generate audit records when successful/unsuccessful accesses to objects occur.
AU-12 - Medium - CCI-000172 - V-234657 - SV-234657r879878_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
SRG-APP-000507-UEM-000382
Vuln IDs
  • V-234657
Rule IDs
  • SV-234657r879878_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies:FAU_ALT_EXT.1.1, FAU_GEN.1.1(1), FMT_SMF.1.1(2)c.8 Reference:PP-MDM-411065, PP-MDM-412000
Checks: C-37842r615605_chk

Verify the UEM server generates audit records when successful/unsuccessful accesses to objects occur. If the UEM server does not generate audit records when successful/unsuccessful accesses to objects occur, this is a finding.

Fix: F-37807r615606_fix

Configure the UEM server to generate audit records when successful/unsuccessful accesses to objects occur.

b
The UEM server must generate audit records for all direct access to the information system.
AU-12 - Medium - CCI-000172 - V-234658 - SV-234658r879879_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
SRG-APP-000508-UEM-000383
Vuln IDs
  • V-234658
Rule IDs
  • SV-234658r879879_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies:FAU_ALT_EXT.1.1, FAU_GEN.1.1(1), FMT_SMF.1.1(2)c.8 Reference:PP-MDM-411065, PP-MDM-412000
Checks: C-37843r615608_chk

Verify the UEM server generates audit records for all direct access to the information system. If the UEM server does not generate audit records for all direct access to the information system, this is a finding.

Fix: F-37808r615609_fix

Configure the UEM server to generate audit records for all direct access to the information system.

b
The UEM server must generate audit records for all account creations, modifications, disabling, and termination events.
AU-12 - Medium - CCI-000172 - V-234659 - SV-234659r879880_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
SRG-APP-000509-UEM-000384
Vuln IDs
  • V-234659
Rule IDs
  • SV-234659r879880_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies:FAU_ALT_EXT.1.1, FAU_GEN.1.1(1), FMT_SMF.1.1(2)c.8 Reference:PP-MDM-411065, PP-MDM-412000
Checks: C-37844r616017_chk

Requirement is Not Applicable when UEM server is configured to use DoD Central Directory Service for administrator account authentication. Verify the UEM server generates audit records for all account creations, modifications, disabling, and termination events. If the UEM server does not generate audit records for all account creations, modifications, disabling, and termination events, this is a finding.

Fix: F-37809r615612_fix

Configure the UEM server to generate audit records for all account creations, modifications, disabling, and termination events.

c
The UEM server must use a FIPS-validated cryptographic module to generate cryptographic hashes.
SC-13 - High - CCI-002450 - V-234664 - SV-234664r879885_rule
RMF Control
SC-13
Severity
High
CCI
CCI-002450
Version
SRG-APP-000514-UEM-000389
Vuln IDs
  • V-234664
Rule IDs
  • SV-234664r879885_rule
FIPS 140-2 precludes the use of invalidated cryptography for the cryptographic protection of sensitive or valuable data within Federal systems. Unvalidated cryptography is viewed by NIST as providing no protection to the information or data. In effect, the data would be considered unprotected plaintext. If the agency specifies that the information or data be cryptographically protected, then FIPS 140-2 is applicable. In essence, if cryptography is required, it must be validated. Cryptographic modules that have been approved for classified use may be used in lieu of modules that have been validated against the FIPS 140-2 standard. The cryptographic module used must have at least one validated hash algorithm. This validated hash algorithm must be used to generate cryptographic hashes for all cryptographic security function within the product being evaluated. Satisfies:FCS_COP.1.1(2)
Checks: C-37849r615626_chk

Verify the UEM server uses a FIPS-validated cryptographic module to generate cryptographic hashes. If the UEM server does not use a FIPS-validated cryptographic module to generate cryptographic hashes, this is a finding.

Fix: F-37814r615627_fix

Configure the UEM server to use a FIPS-validated cryptographic module to generate cryptographic hashes.

b
The UEM server must, at a minimum, off-load audit logs of interconnected systems in real time and off-load standalone systems weekly.
AU-4 - Medium - CCI-001851 - V-234665 - SV-234665r879886_rule
RMF Control
AU-4
Severity
Medium
CCI
CCI-001851
Version
SRG-APP-000515-UEM-000390
Vuln IDs
  • V-234665
Rule IDs
  • SV-234665r879886_rule
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. Satisfies:FMT_SMF.1.1(2) c.8, FAU_STG_EXT.1.1(1) Reference:PP-MDM-411054
Checks: C-37850r851724_chk

Verify the UEM server, at a minimum, off-loads audit logs of interconnected systems in real time and off-load standalone systems weekly. If the UEM server does not off-load audit logs of interconnected systems in real time and off-load standalone systems weekly, this is a finding.

Fix: F-37815r615630_fix

Configure the UEM server to, at a minimum, off-load audit logs of interconnected systems in real time and off-load standalone systems weekly.

b
The UEM server must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
CM-6 - Medium - CCI-000366 - V-234666 - SV-234666r879887_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
SRG-APP-000516-UEM-000391
Vuln IDs
  • V-234666
Rule IDs
  • SV-234666r879887_rule
Configuring the application to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the application, including the parameters required to satisfy other security control requirements.
Checks: C-37851r616021_chk

Verify the UEM server is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If the UEM server is not configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs, this is a finding.

Fix: F-37816r615633_fix

Configure the UEM server in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.

b
The UEM server must be configured to allow authorized administrators to read all audit data from audit records on the server.
CM-6 - Medium - CCI-000366 - V-234667 - SV-234667r879887_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
SRG-APP-000516-UEM-000392
Vuln IDs
  • V-234667
Rule IDs
  • SV-234667r879887_rule
Successful incident response and auditing relies on timely, accurate system information and analysis in order to allow the organization to identify and respond to potential incidents in a proficient manner. If the application does not provide the ability to centrally review the application logs, forensic analysis is negatively impacted. Segregation of logging data to multiple disparate computer systems is counterproductive and makes log analysis and log event alarming difficult to implement and manage, particularly when the system or application has multiple logging components written to different locations or systems. Automated mechanisms for centralized reviews and analyses include, for example, Security Information Management products. Satisfies:FAU_SAR.1.1 Reference:PP-MDM-413000
Checks: C-37852r615635_chk

Verify the UEM server allows authorized administrators to read all audit data from audit records on the server. If the UEM server does not allow authorized administrators to read all audit data from audit records on the server, this is a finding.

Fix: F-37817r615636_fix

Configure the UEM server to allow authorized administrators to read all audit data from audit records on the server.

c
The UEM server must be configured to implement FIPS 140-2 mode for all server and agent encryption.
SC-13 - High - CCI-002450 - V-234668 - SV-234668r879888_rule
RMF Control
SC-13
Severity
High
CCI
CCI-002450
Version
SRG-APP-000555-UEM-000393
Vuln IDs
  • V-234668
Rule IDs
  • SV-234668r879888_rule
Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session. Remote access is access to DoD non-public information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. A block cipher mode is an algorithm that features the use of a symmetric key block cipher algorithm to provide an information service, such as confidentiality or authentication. AES is the FIPS-validated cipher block cryptographic algorithm approved for use in DoD. For an algorithm implementation to be listed on a FIPS 140-2 cryptographic module validation certificate as an approved security function, the algorithm implementation must meet all the requirements of FIPS 140-2 and must successfully complete the cryptographic algorithm validation process. Currently, NIST has approved the following confidentiality modes to be used with approved block ciphers in a series of special publications: ECB, CBC, OFB, CFB, CTR, XTS-AES, FF1, FF3, CCM, GCM, KW, KWP, and TKW. Satisfies:FCS_COP.1.1(1), FTP_TRP.1.1(1) Reference:PP-MDM-414001
Checks: C-37853r615638_chk

Verify FIPS 140-2 mode has been implemented on the UEM server for all server and agent encryption. If FIPS 140-2 mode has not been implemented on the UEM server for all server and agent encryption, this is a finding.

Fix: F-37818r615639_fix

Configure the UEM server to implement FIPS 140-2 mode for all server and agent encryption.

b
The UEM server must be configured to prohibit client negotiation to TLS 1.1, TLS 1.0, SSL 2.0, or SSL 3.0.
AC-17 - Medium - CCI-001453 - V-234669 - SV-234669r879889_rule
RMF Control
AC-17
Severity
Medium
CCI
CCI-001453
Version
SRG-APP-000560-UEM-000394
Vuln IDs
  • V-234669
Rule IDs
  • SV-234669r879889_rule
Using older unauthorized versions or incorrectly configuring protocol negotiation makes the gateway vulnerable to known and unknown attacks that exploit vulnerabilities in this protocol. This requirement applies to Transport Layer Security (TLS) gateways (also known as Secure Sockets Layer [SSL] gateways), web servers, and web applications. Application protocols such as HTTPS and DNSSEC use TLS as the underlying security protocol and thus are in scope for this requirement. NIST SP 800-52 provides guidance for client negotiation, either on DoD-only or on public-facing servers. Satisfies:FCS_TLSC_EXT.1.1 Reference:PP-MDM-412061
Checks: C-37854r615641_chk

Verify the UEM server is configured to prohibit client negotiation to TLS 1.1, TLS 1.0, SSL 2.0, or SSL 3.0. If the UEM server is not configured to prohibit client negotiation to TLS 1.1, TLS 1.0, SSL 2.0, or SSL 3.0, this is a finding.

Fix: F-37819r615642_fix

Configure the UEM server to prohibit client negotiation to TLS 1.1, TLS 1.0, SSL 2.0, or SSL 3.0.

b
The UEM server must authenticate endpoint devices (servers) before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based.
IA-3 - Medium - CCI-001967 - V-234673 - SV-234673r879893_rule
RMF Control
IA-3
Severity
Medium
CCI
CCI-001967
Version
SRG-APP-000580-UEM-000398
Vuln IDs
  • V-234673
Rule IDs
  • SV-234673r879893_rule
Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Bidirectional authentication provides stronger safeguards to validate the identity of other devices for connections that are of greater risk, such as remote connections. This requires device-to-device authentication. Information systems must use IEEE 802.1x, Extensible Authentication Protocol [EAP], Radius server with EAP-Transport Layer Security [TLS] authentication, or Kerberos to identify/authenticate devices on local and/or wide area networks. Satisfies:FMT_SMF.1.1(2) b, FTP_ITC.1.1(1), FTP_ITC.1.2(1), FTP_ITC.1.3(1) Reference:PP-MDM-431009
Checks: C-37858r851729_chk

Verify the UEM server authenticates endpoint devices (servers) before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based. If the UEM server does not authenticate endpoint devices (servers) before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based, this is a finding.

Fix: F-37823r615654_fix

Configure the UEM server to authenticate endpoint devices (servers) before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based.

b
If cipher suites using pre-shared keys are used for device authentication, the UEM server must have a minimum security strength of 112 bits or higher.
IA-3 - Medium - CCI-001967 - V-234674 - SV-234674r879894_rule
RMF Control
IA-3
Severity
Medium
CCI
CCI-001967
Version
SRG-APP-000585-UEM-000399
Vuln IDs
  • V-234674
Rule IDs
  • SV-234674r879894_rule
Pre-shared keys are symmetric keys that are already in place prior to the initiation of a Transport Layer Security (TLS) session (e.g., as the result of a manual distribution). In general, pre-shared keys should not be used. However, the use of pre-shared keys may be appropriate for some closed environments that have stung key management best practices. Pre-shared keys may be appropriate for constrained environments with limited processing, memory, or power. If pre-shared keys are appropriate and supported, the following additional guidelines must be followed. Consult 800-52 for recommended pre-shared key cipher suites for pre-shared keys. Pre-shared keys must be distributed in a secure manner, such as a secure manual distribution or using a key establishment certificate. These cipher suites employ a pre-shared key for device authentication (for both the server and the client) and may also use RSA or ephemeral Diffie-Hellman (DHE) algorithms for key establishment. Because these cipher suites require pre-shared keys, these suites are not generally applicable to classic secure website applications and are not expected to be widely supported in TLS clients or TLS servers. NIST suggests that these suites be considered in particular for infrastructure applications, particularly if frequent authentication of the network entities is required. These cipher suites may be used with TLS versions 1.1 or 1.2. Note that cipher suites using GCM, SHA-256, or SHA-384 are only available in TLS 1.2.
Checks: C-37859r851731_chk

Verify cipher suites using pre-shared keys are for device authentication have a minimum security strength of 112 bits or higher. If cipher suites using pre-shared keys are for device authentication do not have a minimum security strength of 112 bits or higher, this is a finding.

Fix: F-37824r615657_fix

If cipher suites using pre-shared keys are used for device authentication, configure the UEM server to have a minimum security strength of 112 bits or higher.

b
The UEM server must validate certificates used for Transport Layer Security (TLS) functions by performing RFC 5280-compliant certification path validation.
IA-5 - Medium - CCI-000185 - V-234676 - SV-234676r879897_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000185
Version
SRG-APP-000605-UEM-000401
Vuln IDs
  • V-234676
Rule IDs
  • SV-234676r879897_rule
A certificate's certification path is the path from the end entity certificate to a trusted root certification authority (CA). Certification path validation is necessary for a relying party to make an informed decision regarding acceptance of an end entity certificate. Certification path validation includes checks such as certificate issuer trust, time validity, and revocation status for each certificate in the certification path. Revocation status information for CA and subject certificates in a certification path is commonly provided via certificate revocation lists (CRLs) or online certificate status protocol (OCSP) responses. Satisfies:FIA_X509_EXT.1.1(1)
Checks: C-37861r616029_chk

Verify the UEM server validates certificates used for TLS functions by performing RFC 5280-compliant certification path validation. If the UEM server does not validate certificates used for TLS functions by performing RFC 5280-compliant certification path validation, this is a finding.

Fix: F-37826r615663_fix

Configure the UEM server to validate certificates used for Transport Layer Security (TLS) functions by performing RFC 5280-compliant certification path validation.

c
The application must use FIPS-validated SHA-256 or higher hash function for digital signature generation and verification.
IA-7 - High - CCI-000803 - V-234677 - SV-234677r879898_rule
RMF Control
IA-7
Severity
High
CCI
CCI-000803
Version
SRG-APP-000610-UEM-000402
Vuln IDs
  • V-234677
Rule IDs
  • SV-234677r879898_rule
Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Note: Although allowed by SP800-131Ar1 for some applications, SHA-1 is considered a compromised hashing standard and is being phased out of use by industry and government standards. Unless required for legacy use, DoD systems should not be configured to use SHA-1 for integrity of remote access sessions. To protect the integrity of the authenticator and authentication mechanism used for the cryptographic module used by the network device, the application, operating system, or protocol must be configured to use one of the following hash functions for hashing the password or other authenticator in accordance with SP 800-131Ar1: SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-512/256, SHA3-224, SHA3-256, SHA3-384, and SHA3-512. For digital signature verification, SP800-131Ar1 allows SHA-1 for legacy use only. Satisfies:FCS_COP.1.1(4)
Checks: C-37862r616031_chk

Verify the UEM server uses FIPS-validated SHA-256 or higher hash function for digital signature generation and verification. If the UEM server does not use FIPS-validated SHA-256 or higher hash function for digital signature generation and verification, this is a finding.

Fix: F-37827r615666_fix

Configure the UEM server to use FIPS-validated SHA-256 or higher hash function for digital signature generation and verification.

b
The UEM Server must provide digitally signed policy updates to UEM Agent.
SC-23 - Medium - CCI-002470 - V-256892 - SV-256892r891314_rule
RMF Control
SC-23
Severity
Medium
CCI
CCI-002470
Version
SRG-APP-000427-UEM-000500
Vuln IDs
  • V-256892
Rule IDs
  • SV-256892r891314_rule
It is critical that the UEM server sign all policy updates with validated certificates. Otherwise, there is no assurance that a malicious actor has not inserted itself in the process of packaging the code or policy. Satisfies: FMT_POL_EXT.1.1
Checks: C-60567r891313_chk

Verify the UEM server is signing all policy updates sent to the UEM Agent with validated certificates. If the UEM server is not signing all policy updates sent to the UEM Agent with validated certificates, this is a finding.

Fix: F-60510r891311_fix

Configure the UEM server to sign all policy updates sent to the UEM Agent with validated certificates.