CA API Gateway ALG Security Technical Implementation Guide

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: [email protected]

Details

Version / Release: V1R2

Published: 2017-04-07

Updated At: 2018-09-23 19:12:30

Actions

Download

Filter


Findings
Severity Open Not Reviewed Not Applicable Not a Finding
Overall 0 0 0 0
Low 0 0 0 0
Medium 0 0 0 0
High 0 0 0 0
Drop CKL or SCAP (XCCDF) results here.

    Vuln Rule Version CCI Severity Title Description Status Finding Details Comments
    SV-85907r1_rule CAGW-GW-000100 CCI-000213 MEDIUM The CA API Gateway must enforce approved authorizations for logical access to information and system resources by employing identity-based, role-based, and/or attribute-based security policies. Successful authentication must not automatically give an entity access to an asset or security boundary. The lack of authorization-based access control could result in the immediate compromise and unauthorized access to sensitive information. All DoD syst
    SV-85909r1_rule CAGW-GW-000110 CCI-001368 MEDIUM The CA API Gateway must enforce approved authorizations for controlling the flow of information within the network based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic. Information flow control regulates where information is allowed to travel within a network. The flow of all network traffic must be monitored and controlled so it does not introduce any unacceptable risk to the network infrastructure or data. Information
    SV-85911r1_rule CAGW-GW-000120 CCI-001414 MEDIUM The CA API Gateway must restrict or block harmful or suspicious communications traffic by controlling the flow of information between interconnected networks based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic. Information flow control regulates where information is allowed to travel within a network and between interconnected networks. Blocking or restricting detected harmful or suspicious communications between interconnected networks enforces approved authori
    SV-85913r1_rule CAGW-GW-000130 CCI-000048 MEDIUM The CA API Gateway providing user access control intermediary services must display the Standard Mandatory DoD-approved Notice and Consent Banner before granting access to the network. Display of a standardized and approved use notification before granting access to the network ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standard
    SV-85915r1_rule CAGW-GW-000140 CCI-000050 MEDIUM The CA API Gateway providing user access control intermediary services must retain the Standard Mandatory DoD-approved Notice and Consent Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access. The banner must be acknowledged by the user prior to allowing the user access to the network. This provides assurance that the user has seen the message and accepted the conditions for access. If the consent banner is not acknowledged by the user, DoD wil
    SV-85917r1_rule CAGW-GW-000150 CCI-001384 MEDIUM The CA API Gateway providing user access control intermediary services for publicly accessible applications must display the Standard Mandatory DoD-approved Notice and Consent Banner before granting access to the system. Display of a standardized and approved use notification before granting access to the publicly accessible network element ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, pol
    SV-85919r1_rule CAGW-GW-000160 CCI-000054 MEDIUM The CA API Gateway providing user access control intermediary services must limit users to two concurrent sessions. Network element management includes the ability to control the number of users and user sessions that utilize a network element. Limiting the number of current sessions per user is helpful in limiting risks related to Denial of Service (DoS) attacks. Thi
    SV-85923r1_rule CAGW-GW-000170 CCI-000068 MEDIUM The CA API Gateway providing intermediary services for remote access communications traffic must use encryption services that implement NIST FIPS-validated cryptography to protect the confidentiality of remote access sessions. Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session. Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) co
    SV-85931r1_rule CAGW-GW-000180 CCI-000068 MEDIUM The CA API Gateway that stores secret or private keys must use FIPS-approved key management technology and processes in the production and control of private/secret cryptographic keys. Private key data is used to prove the entity presenting a public key certificate is the certificate's rightful owner. Compromise of private key data allows an adversary to impersonate the key holder. Private key data associated with software certificate
    SV-85939r1_rule CAGW-GW-000190 CCI-000068 MEDIUM The CA API Gateway that provides intermediary services for TLS must be configured to comply with the required TLS settings in NIST SP 800-52. SP 800-52 provides guidance on using the most secure version and configuration of the TLS/SSL protocol. Using older unauthorized versions or incorrectly configuring protocol negotiation makes the Gateway vulnerable to known and unknown attacks that exploi
    SV-85949r2_rule CAGW-GW-000200 CCI-001453 MEDIUM The CA API Gateway providing intermediary services for remote access communications traffic must use NIST FIPS-validated cryptography to protect the integrity of remote access sessions. Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Remote access is access to DoD-nonpublic information systems by an authorized user (or an information system) communicating through an extern
    SV-85953r1_rule CAGW-GW-000210 CCI-000133 MEDIUM The CA API Gateway must produce audit records containing information to establish the source of the events. Without establishing the source of the event, it is impossible to establish, correlate, and investigate the events leading up to an outage or attack. In order to compile an accurate risk assessment and provide forensic analysis, security personnel need to
    SV-85957r1_rule CAGW-GW-000220 CCI-000134 MEDIUM The CA API Gateway must produce audit records containing information to establish the outcome of the events. Without information about the outcome of events, security personnel cannot make an accurate assessment as to whether an attack was successful or if changes were made to the security state of the network. Event outcomes can include indicators of event suc
    SV-85959r1_rule CAGW-GW-000230 CCI-001487 MEDIUM The CA API Gateway must generate audit records containing information to establish the identity of any individual or process associated with the event. Without information that establishes the identity of the subjects (i.e., users or processes acting on behalf of users) associated with the events, security personnel cannot determine responsibility for the potentially harmful event. Associating informati
    SV-85961r1_rule CAGW-GW-000240 CCI-000162 MEDIUM The CA API Gateway must protect audit information from unauthorized read access. Auditing and logging are key components of any security architecture. Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or simply identify an improperly configured netw
    SV-85963r1_rule CAGW-GW-000250 CCI-000164 MEDIUM The CA API Gateway must protect audit information from unauthorized deletion. If audit data becomes compromised, forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. To ensure the veracity of audit data, the information system and/or the application must protect audi
    SV-85965r1_rule CAGW-GW-000260 CCI-001493 MEDIUM The CA API Gateway must protect audit tools from unauthorized access. Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit data. Network elements providing tools to interface w
    SV-85967r1_rule CAGW-GW-000270 CCI-000381 MEDIUM The CA API Gateway must not have unnecessary services and functions enabled. Information systems are capable of providing a wide variety of functions (capabilities or processes) and services. Some of these functions and services are installed and enabled by default. The organization must determine which functions and services are
    SV-85969r1_rule CAGW-GW-000280 CCI-000381 MEDIUM The CA API Gateway must be configured to remove or disable unrelated or unneeded application proxy services. Unrelated or unneeded proxy services increase the attack vector and add excessive complexity to the securing of the ALG. Multiple application proxies can be installed on many ALGs. However, proxy types must be limited to related functions. At a minimum, t
    SV-85971r1_rule CAGW-GW-000290 CCI-000382 MEDIUM The CA API Gateway must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services as defined in the PPSM CAL and vulnerability assessments. In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical po
    SV-85973r1_rule CAGW-GW-000300 CCI-000764 MEDIUM The CA API Gateway providing user authentication intermediary services must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users). To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. Organizational users include organizational employees or individuals the orga
    SV-85975r1_rule CAGW-GW-000310 CCI-000764 MEDIUM The CA API Gateway providing user access control intermediary services must be configured with a pre-established trust relationship and mechanisms with appropriate authorities (e.g., Active Directory or AAA server) that validate user account access authorizations and privileges. User account and privilege validation must be centralized in order to prevent unauthorized access using changed or revoked privileges. ALGs can implement functions such as traffic filtering, authentication, access, and authorization functions based on co
    SV-85977r1_rule CAGW-GW-000320 CCI-000764 MEDIUM The CA API Gateway providing user authentication intermediary services must restrict user authentication traffic to specific authentication server(s). User authentication can be used as part of the policy filtering rule sets. Some URLs or network resources can be restricted to authenticated users only. Users are prompted by the application or browser for credentials. Authentication service may be provid
    SV-85979r1_rule CAGW-GW-000330 CCI-000766 MEDIUM The ALG providing user authentication intermediary services must use multifactor authentication for network access to non-privileged accounts. To assure accountability and prevent unauthenticated access, non-privileged users must utilize multifactor authentication to prevent potential misuse and compromise of the system. Multifactor authentication uses two or more factors to achieve authenticat
    SV-85981r1_rule CAGW-GW-000340 CCI-001942 MEDIUM The CA API Gateway providing user authentication intermediary services must implement replay-resistant authentication mechanisms for network access to non-privileged accounts. A replay attack may enable an unauthorized user to gain access to the application. Authentication sessions between the authenticator and the application validating the user credentials must not be vulnerable to a replay attack. An authentication process
    SV-85983r1_rule CAGW-GW-000350 CCI-000187 MEDIUM The CA API Gateway providing PKI-based user authentication intermediary services must map authenticated identities to the user account. Authorization for access to any network element requires an approved and assigned individual account identifier. To ensure only the assigned individual is using the account, the account must be bound to a user certificate when PKI-based authentication is
    SV-85985r1_rule CAGW-GW-000360 CCI-000804 MEDIUM The CA API Gateway providing user authentication intermediary services must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users). Lack of authentication enables anyone to gain access to the network or possibly a network element that provides opportunity for intruders to compromise resources within the network infrastructure. By identifying and authenticating non-organizational users
    SV-85987r1_rule CAGW-GW-000370 CCI-001094 MEDIUM The CA API Gateway providing content filtering must block outbound traffic containing known and unknown Denial of Service (DoS) attacks to protect against the use of internal information systems to launch any DoS attacks against other networks or endpoints. DoS attacks can take multiple forms but have the common objective of overloading or blocking a network or host to deny or seriously degrade performance. If the network does not provide safeguards against DoS attack, network resources will be unavailable t
    SV-85989r1_rule CAGW-GW-000380 CCI-001133 MEDIUM The CA API Gateway must terminate all network connections associated with a Policy Manager session at the end of the session or as follows: for in-band management sessions (privileged sessions), the session must be terminated after 10 minutes of inactivity within the Policy Manager, and for user sessions simply viewing the contents of Policy Manager or viewing Audit Logs for tracking purposes (non-privileged session), the session must be terminated after 15 minutes of inactivity. Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminat
    SV-85991r1_rule CAGW-GW-000390 CCI-001166 MEDIUM The CA API Gateway must detect, at a minimum, mobile code that is unsigned or exhibiting unusual behavior, has not undergone a risk assessment, or is prohibited for use based on a risk assessment. Mobile code is defined as software modules obtained from remote systems, transferred across a network, and then downloaded and executed on a local system without explicit installation or execution by the recipient. Examples of mobile code include JavaScr
    SV-85993r1_rule CAGW-GW-000400 CCI-001184 MEDIUM The CA API Gateway must protect the authenticity of communications sessions. Authenticity protection provides protection against man-in-the-middle attacks/session hijacking and the insertion of false information into sessions. This requirement focuses on communications protection for the application session, rather than for the n
    SV-85995r1_rule CAGW-GW-000410 CCI-001185 MEDIUM The CA API Gateway must invalidate session identifiers upon user logout or other session termination. Captured sessions can be reused in "replay" attacks. This requirement limits the ability of adversaries from capturing and continuing to employ previously valid session IDs. Session IDs are tokens generated by web applications to uniquely identify an app
    SV-85997r1_rule CAGW-GW-000420 CCI-001188 MEDIUM The CA API Gateway must generate unique session identifiers using a FIPS 140-2 approved random number generator. Sequentially generated session IDs can be easily guessed by an attacker. Employing the concept of randomness in the generation of unique session identifiers helps to protect against brute-force attacks to determine future session identifiers. The CA API
    SV-85999r1_rule CAGW-GW-000430 CCI-001240 MEDIUM The CA API Gateway providing content filtering must integrate with an ICAP-enabled Intrusion Detection System that updates malicious code protection mechanisms and signature definitions whenever new releases are available in accordance with organizational configuration management policy and procedures. Malicious code protection mechanisms include, but are not limited to, antivirus and malware detection software. In order to minimize any potential negative impact to the organization caused by malicious code, malicious code must be identified and eradicat
    SV-86001r1_rule CAGW-GW-000440 CCI-001242 MEDIUM The CA API Gateway providing content filtering must be configured to perform real-time scans of files from external sources at network entry/exit points as they are downloaded and prior to being opened or executed. Malicious code includes viruses, worms, trojan horses, and spyware. The code provides the ability for a malicious user to read from and write to files and folders on a computer's hard drive. Malicious code may also be able to run and attach programs, whic
    SV-86003r1_rule CAGW-GW-000450 CCI-001243 MEDIUM The CA API Gateway providing content filtering must block malicious code upon detection. Taking an appropriate action based on local organizational incident handling procedures minimizes the impact of malicious code on the network. The CA API Gateway must be configured to integrate with an ICAP enabled Intrusion Detection System such as McAf
    SV-86005r1_rule CAGW-GW-000460 CCI-001243 MEDIUM The CA API Gateway providing content filtering must delete or quarantine malicious code in response to malicious code detection. Taking an appropriate action based on local organizational incident handling procedures minimizes the impact of malicious code on the network. The ALG must be configured to block all detected malicious code. It is sometimes acceptable/necessary to genera
    SV-86007r1_rule CAGW-GW-000470 CCI-001243 MEDIUM The CA API Gateway providing content filtering must send an immediate (within seconds) alert to the system administrator, at a minimum, in response to malicious code detection. Without an alert, security personnel may be unaware of an impending failure of the audit capability, which will impede the ability to perform forensic analysis and detect rate-based and other anomalies. The ALG generates an immediate (within seconds) ale
    SV-86009r1_rule CAGW-GW-000480 CCI-001247 MEDIUM The CA API Gateway providing content filtering must automatically update malicious code protection mechanisms. The malicious software detection functionality on network elements needs to be constantly updated in order to identify new threats as they are discovered. All malicious software detection functions must come with an update mechanism that automatically up
    SV-86011r1_rule CAGW-GW-000490 CCI-001312 MEDIUM The CA API Gateway must generate error messages that provide the information necessary for corrective actions without revealing information that could be exploited by adversaries. Providing too much information in error messages risks compromising the data and security of the application and system. Organizations must carefully consider the structure/content of error messages. The required information within error messages will va
    SV-86013r1_rule CAGW-GW-000500 CCI-001695 MEDIUM The CA API Gateway providing content filtering must block or restrict detected prohibited mobile code. Mobile code is defined as software modules obtained from remote systems, transferred across a network, and then downloaded and executed on a local system without explicit installation or execution by the recipient. This applies to mobile code that may or
    SV-86015r1_rule CAGW-GW-000510 CCI-001169 MEDIUM The CA API Gateway providing content filtering must prevent the download of prohibited mobile code. Mobile code is defined as software modules obtained from remote systems, transferred across a network, and then downloaded and executed on a local system without explicit installation or execution by the recipient. This applies to mobile code that may or
    SV-86017r1_rule CAGW-GW-000520 CCI-002314 MEDIUM The CA API Gateway providing intermediary services for remote access communications traffic must control remote access methods. Remote access devices, such as those providing remote access to network devices and information systems, that lack automated control capabilities increase risk and makes remote user access management difficult at best. Remote access is access to DoD nonp
    SV-86019r1_rule CAGW-GW-000530 CCI-002346 MEDIUM To protect against data mining, the CA API Gateway providing content filtering must prevent code injection attacks from being launched against data storage objects, including, at a minimum, databases, database records, queries, and fields. Data mining is the analysis of large quantities of data to discover patterns and is used in intelligence gathering. Failure to prevent attacks launched against organizational information from unauthorized data mining may result in the compromise of inform
    SV-86021r1_rule CAGW-GW-000540 CCI-002346 MEDIUM To protect against data mining, the CA API Gateway providing content filtering must prevent code injection attacks launched against application objects including, at a minimum, application URLs and application code. Data mining is the analysis of large quantities of data to discover patterns and is used in intelligence gathering. Failure to prevent attacks launched against organizational information from unauthorized data mining may result in the compromise of inform
    SV-86023r1_rule CAGW-GW-000550 CCI-002346 MEDIUM To protect against data mining, the CA API Gateway providing content filtering must prevent SQL injection attacks launched against data storage objects, including, at a minimum, databases, database records, and database fields. Data mining is the analysis of large quantities of data to discover patterns and is used in intelligence gathering. Failure to prevent attacks launched against organizational information from unauthorized data mining may result in the compromise of inform
    SV-86045r1_rule CAGW-GW-000560 CCI-002347 MEDIUM To protect against data mining, the CA API Gateway providing content filtering must detect code injection attacks from being launched against data storage objects, including, at a minimum, databases, database records, queries, and fields. Data mining is the analysis of large quantities of data to discover patterns and is used in intelligence gathering. Failure to detect attacks launched against organizational databases may result in the compromise of information. Injection attacks allow a
    SV-86047r1_rule CAGW-GW-000570 CCI-002347 MEDIUM To protect against data mining, the CA API Gateway providing content filtering must detect SQL injection attacks launched against data storage objects, including, at a minimum, databases, database records, and database fields. Data mining is the analysis of large quantities of data to discover patterns and is used in intelligence gathering. Failure to detect attacks launched against organizational databases may result in the compromise of information. SQL injection attacks are
    SV-86049r1_rule CAGW-GW-000580 CCI-002347 MEDIUM To protect against data mining, the CA API Gateway providing content filtering as part of its intermediary services must detect code injection attacks launched against application objects including, at a minimum, application URLs and application code. Data mining is the analysis of large quantities of data to discover patterns and is used in intelligence gathering. Failure to detect attacks launched against organizational applications may result in the compromise of information. Injection attacks allo
    SV-86051r1_rule CAGW-GW-000590 CCI-001851 MEDIUM The CA API Gateway must off-load audit records onto a centralized log server. Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. The CA API Gateway must include a method for off-loading aud
    SV-86053r1_rule CAGW-GW-000600 CCI-002038 MEDIUM The CA API Gateway providing user authentication intermediary services must require users to reauthenticate when organization-defined circumstances or situations require reauthentication. Without reauthentication, users may access resources or perform tasks for which they do not have authorization. In addition to the reauthentication requirements associated with session locks, organizations may require reauthentication of individuals and/
    SV-86055r1_rule CAGW-GW-000610 CCI-001951 MEDIUM The CA API Gateway providing user authentication intermediary services must implement multifactor authentication for remote access to non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access. For remote access to non-privileged accounts, the purpose of requiring a device that is separate from the information system gaining access for one of the factors during multifactor authentication is to reduce the likelihood of compromising authentication
    SV-86057r1_rule CAGW-GW-000620 CCI-001948 MEDIUM The CA API Gateway providing user authentication intermediary services must implement multifactor authentication for remote access to privileged accounts such that one of the factors is provided by a device separate from the system gaining access. For remote access to privileged accounts, the purpose of requiring a device that is separate from the information system gaining access for one of the factors during multifactor authentication is to reduce the likelihood of compromising authentication cre
    SV-86059r1_rule CAGW-GW-000630 CCI-002007 MEDIUM The CA API Gateway must prohibit the use of cached authenticators after an organization-defined time period. If the cached authenticator information is out of date, the validity of the authentication information may be questionable. This requirement applies to all ALGs that may cache user authenticators for use throughout a session. This requirement also applie
    SV-86061r1_rule CAGW-GW-000640 CCI-001991 MEDIUM The CA API Gateway providing user authentication intermediary services using PKI-based user authentication must implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network. Without configuring a local cache of revocation data, there is the potential to allow access to users who are no longer authorized (users with revoked certificates). The intent of this requirement is to require support for a secondary certificate validat
    SV-86063r1_rule CAGW-GW-000650 CCI-002014 MEDIUM The CA API Gateway providing user authentication intermediary services must conform to Federal Identity, Credential, and Access Management (FICAM) issued profiles. Without conforming to FICAM-issued profiles, the information system may not be interoperable with FICAM authentication protocols, such as SAML 2.0 and OpenID 2.0. Use of FICAM-issued profiles addresses open identity management standards. This requiremen
    SV-86065r1_rule CAGW-GW-000660 CCI-002470 MEDIUM The CA API Gateway providing user authentication intermediary services using PKI-based user authentication must only accept end entity certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs) for the establishment of protected sessions. Non-DoD-approved PKIs have not been evaluated to ensure that they have security controls and identity vetting procedures in place that are sufficient for DoD systems to rely on the identity asserted in the certificate. PKIs lacking sufficient security con
    SV-86067r1_rule CAGW-GW-000670 CCI-002385 MEDIUM The CA API Gateway providing content filtering must protect against known and unknown types of Denial of Service (DoS) attacks by employing rate-based attack prevention behavior analysis. If the network does not provide safeguards against DoS attacks, network resources will be unavailable to users. Installation of content filtering gateways and application layer firewalls at key boundaries in the architecture mitigates the risk of DoS att
    SV-86069r1_rule CAGW-GW-000680 CCI-002385 MEDIUM The CA API Gateway must implement load balancing to limit the effects of known and unknown types of Denial of Service (DoS) attacks. If the network does not provide safeguards against DoS attacks, network resources will be unavailable to users. Load balancing provides service redundancy, which reduces the susceptibility of the ALG to many DoS attacks. The ALG must be configured to pre
    SV-86071r1_rule CAGW-GW-000700 CCI-002403 MEDIUM The CA API Gateway must only allow incoming communications from organization-defined authorized sources routed to organization-defined authorized destinations. Unrestricted traffic may contain malicious traffic that poses a threat to an enclave or to other connected networks. Additionally, unrestricted traffic may transit a network, which uses bandwidth and other resources. Access control policies and access co
    SV-86073r1_rule CAGW-GW-000710 CCI-002754 MEDIUM The CA API Gateway must behave in a predictable and documented manner that reflects organizational and system objectives when invalid inputs are received. A common vulnerability of network elements is unpredictable behavior when invalid inputs are received. This requirement guards against adverse or unintended system behavior caused by invalid inputs, where information system responses to the invalid input
    SV-86075r1_rule CAGW-GW-000720 CCI-002656 MEDIUM The CA API Gateway providing content filtering must be configured to integrate with a system-wide intrusion detection system. Without coordinated reporting between separate devices, it is not possible to identify the true scale and possible target of an attack. Integration of the ALG with a system-wide intrusion detection system supports continuous monitoring and incident respo
    SV-86077r1_rule CAGW-GW-000770 CCI-002664 MEDIUM The CA API Gateway providing content filtering must send an alert to, at a minimum, the ISSO and ISSM when detection events occur. Without an alert, security personnel may be unaware of major detection incidents that require immediate action, and this delay may result in the loss or compromise of information. Since these incidents require immediate action, these messages are assigne
    SV-86079r1_rule CAGW-GW-000790 CCI-002664 MEDIUM The CA API Gateway providing content filtering must generate a notification on the console when root-level intrusion events that attempt to provide unauthorized privileged access are detected. Without an alert, security personnel may be unaware of major detection incidents that require immediate action, and this delay may result in the loss or compromise of information. The ALG generates an alert that notifies designated personnel of the Indic
    SV-86081r1_rule CAGW-GW-000800 CCI-002664 LOW The CA API Gateway providing content filtering must generate an alert to, at a minimum, the ISSO and ISSM when user-level intrusions that provide non-privileged access are detected. Without an alert, security personnel may be unaware of major detection incidents that require immediate action, and this delay may result in the loss or compromise of information. The ALG generates an alert that notifies designated personnel of the Indic
    SV-86083r1_rule CAGW-GW-000810 CCI-002664 LOW The CA API Gateway providing content filtering must generate an alert to, at a minimum, the ISSO and ISSM when Denial of Service (DoS) incidents are detected. Without an alert, security personnel may be unaware of major detection incidents that require immediate action, and this delay may result in the loss or compromise of information. The ALG generates an alert that notifies designated personnel of the Indic
    SV-86085r1_rule CAGW-GW-000820 CCI-002664 MEDIUM The ALG providing content filtering must generate an alert to, at a minimum, the ISSO and ISSM when new active propagation of malware infecting DoD systems or malicious code adversely affecting the operations and/or security of DoD systems is detected. Without an alert, security personnel may be unaware of major detection incidents that require immediate action, and this delay may result in the loss or compromise of information. The ALG generates an alert that notifies designated personnel of the Indic
    SV-86087r1_rule CAGW-GW-000830 CCI-000197 MEDIUM The CA API Gateway providing user authentication intermediary services must transmit only encrypted representations of passwords. Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. This requirement applies to ALGs that provide
    SV-86089r1_rule CAGW-GW-000840 CCI-001310 MEDIUM The CA API Gateway must check the validity of all data inputs except those specifically identified by the organization. Invalid user input occurs when a user inserts data or characters into an application's data entry fields and the application is unprepared to process that data. This results in unanticipated application behavior, potentially leading to an application or i
    SV-86091r1_rule CAGW-GW-000850 CCI-001314 MEDIUM The CA API Gateway must reveal error messages only to the ISSO, ISSM, and SCA. Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can give configuration details about the network element. Limiting access to system logs and admi
    SV-86093r1_rule CAGW-GW-000860 CCI-000172 MEDIUM The CA API Gateway providing user access control intermediary services must generate audit records when successful/unsuccessful logon attempts occur. Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit recor
    SV-86095r1_rule CAGW-GW-000870 CCI-000172 MEDIUM The CA API Gateway providing user access control intermediary services must generate audit records showing starting and ending time for user access to the system. Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit recor
    SV-86097r1_rule CAGW-GW-000880 CCI-002450 MEDIUM The CA API Gateway providing encryption intermediary services must implement NIST FIPS-validated cryptography to generate cryptographic hashes. Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The network element must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides ass
    SV-86099r1_rule CAGW-GW-000890 CCI-002450 MEDIUM The CA API Gateway providing encryption intermediary services must implement NIST FIPS-validated cryptography for digital signatures. Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The network element must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides ass
    SV-86101r1_rule CAGW-GW-000930 CCI-000366 MEDIUM The CA API Gateway that provides intermediary services for FTP must inspect inbound and outbound FTP communications traffic for protocol compliance and protocol anomalies. Application protocol anomaly detection examines application layer protocols such as FTP to identify attacks based on observed deviations in the normal RFC behavior of a protocol or service. This type of monitoring allows for the detection of known and unk
    SV-86103r1_rule CAGW-GW-000940 CCI-000366 MEDIUM The CA API Gateway that provides intermediary services for HTTP must inspect inbound and outbound HTTP traffic for protocol compliance and protocol anomalies. Application protocol anomaly detection examines application layer protocols such as HTTP to identify attacks based on observed deviations in the normal RFC behavior of a protocol or service. This type of monitoring allows for the detection of known and un
    SV-86105r1_rule CAGW-GW-000950 CCI-002361 MEDIUM The CA API Gateway providing user access control intermediary services must automatically terminate a user session when organization-defined conditions or trigger events that require a session disconnect occur. Automatic session termination addresses the termination of user-initiated logical sessions in contrast to the termination of network connections that are associated with communications sessions (i.e., network disconnect). A logical session (for local, net
    SV-86107r1_rule CAGW-GW-000960 CCI-002363 MEDIUM The CA API Gateway providing user access control intermediary services must provide a logoff capability for user-initiated communications sessions. If a user cannot explicitly end a session, the session may remain open and be exploited by an attacker. However, for some types of interactive sessions, including, for example, remote logon, information systems typically send logoff messages as final mes
    SV-86109r1_rule CAGW-GW-000970 CCI-002364 MEDIUM The CA API Gateway providing user access control intermediary services must display an explicit logoff message to users indicating the reliable termination of authenticated communications sessions. If a user cannot explicitly end a session, the session may remain open and be exploited by an attacker; this is referred to as a zombie session. Users need to be aware of whether or not the session has been terminated. Logoff messages for access, for exa
    SV-86111r1_rule CAGW-GW-000900 CCI-002450 MEDIUM The CA API Gateway providing encryption intermediary services must use NIST FIPS-validated cryptography to implement encryption services. Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The network element must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides ass
    SV-86113r1_rule CAGW-GW-000910 CCI-001851 MEDIUM The CA API Gateway must off-load audit records onto a centralized log server in real time. Off-loading ensures audit information does not get overwritten if the limited audit storage capacity is reached and also protects the audit record in case the system/component being audited is compromised. Off-loading is a common process in information s