Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
If the BIG-IP APM module does not provide user access control intermediary services as part of the traffic management functions of the BIG-IP Core, this is not applicable. Verify the BIG-IP APM module is configured to enforce approved authorizations for logical access to information and system resources by employing identity-based, role-based, and/or attribute-based security policies. Navigate to the BIG-IP System manager >> Access Policy >> Access Profiles >> Access Profiles List. Review Access Policy Profiles to verify configuration for authorization by employing identity-based, role-based, and/or attribute-based security policies. If the BIG-IP APM is not configured to enforce approved authorizations for logical access to information and system resources by employing identity-based, role-based, and/or attribute-based security policies, this is a finding.
If user access control intermediary services are provided as part of the traffic management functions of the BIG-IP Core, configure the BIG-IP APM module to enforce approved authorizations for logical access to information and system resources by employing identity-based, role-based, and/or attribute-based security policies.
If the BIG-IP APM module does not provide user access control intermediary services as part of the traffic management functions of the BIG-IP Core, this is not applicable. Verify the BIG-IP APM module is configured to display the Standard Mandatory DoD-approved Notice and Consent Banner before granting access to virtual servers. Navigate to the BIG-IP System manager >> Access Policy >> Access Profiles. Click "Edit..." in the "Access Policy" column for an Access Profile used for granting access. Verify the Access Profile is configured to display the Standard Mandatory DoD-approved Notice and Consent Banner before granting access. If the BIG-IP APM module is not configured to display the Standard Mandatory DoD-approved Notice and Consent Banner before granting access to the virtual servers, this is a finding.
If user access control intermediary services are provided as part of the traffic management functions of the BIG-IP Core, configure an access policy in the BIG-IP APM module to display the Standard Mandatory DoD-approved Notice and Consent Banner before granting access to virtual servers.
If the BIG-IP APM module does not provide user access control intermediary services, this is not applicable. Verify the BIG-IP APM module is configured to retain the Standard Mandatory DoD-approved Notice and Consent Banner on the screen until users acknowledge the usage conditions and takes explicit actions to log on for further access. Navigate to the BIG-IP System manager >> Access Policy >> Access Profiles. Click "Edit..." in the "Access Policy" column for an Access Profile used for granting access. Verify the Access Profile is configured to retain the Standard Mandatory DoD-approved Notice and Consent Banner on the screen until users accessing virtual servers acknowledge the usage conditions and take explicit actions to log on for further access. If the BIG-IP APM module is not configured to retain the Standard Mandatory DoD-approved Notice and Consent Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access, this is a finding.
If user access control intermediary services are provided, configure an access policy in the BIG-IP APM module to retain the Standard Mandatory DoD-approved Notice and Consent Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access.
If the BIG-IP APM module does not provide user access control intermediary services, this is not applicable. Verify the BIG-IP APM module is configured to display the Standard Mandatory DoD-approved Notice and Consent Banner before granting access to publicly accessible applications. Navigate to the BIG-IP System manager >> Access Policy >> Access Profiles. Click "Edit..." in the "Access Policy" column for an Access Profile used for granting access. Verify the Access Profile is configured to display the Standard Mandatory DoD-approved Notice and Consent Banner before granting access to publicly accessible applications. If the BIG-IP APM module is not configured to display the Standard Mandatory DoD-approved Notice and Consent Banner before granting access to publicly accessible applications, this is a finding.
If user access control intermediary services are provided, configure an access policy in the BIG-IP APM module to display the Standard Mandatory DoD-approved Notice and Consent Banner before granting access to publicly accessible applications.
If the BIG-IP APM module does not provide user authentication intermediary services, this is not applicable. Verify the BIG-IP APM module is configured as follows: Navigate to the BIG-IP System manager >> Access Policy >> Access Profiles. Click "Edit..." in the "Access Policy" column for an Access Profile used for granting access. Verify the Access Profile is configured to uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users). If the BIG-IP APM is not configured to uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users), this is a finding.
If user access control intermediary services are provided, configure an access policy in the BIG-IP APM module to uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).
If the BIG-IP APM module does not provide user access control intermediary services, this is not applicable. Verify the BIG-IP APM module is configured as follows: Navigate to the BIG-IP System manager >> Access Policy >> Access Profiles. Click "Edit..." in the "Access Policy" column for an Access Profile used for granting access. Verify the Access Profile is configured with a pre-established trust relationship and mechanisms with appropriate authorities (e.g., Active Directory or AAA server) that validate user account access authorizations and privileges. If the BIG-IP APM is not configured with a pre-established trust relationship and mechanisms with appropriate authorities that validate each user access authorization and privileges, this is a finding.
If user access control intermediary services are provided, configure an access policy in the BIG-IP APM module with a pre-established trust relationship and mechanisms with appropriate authorities that validate each user access authorization and privileges.
If the BIG-IP APM module does not provide user authentication intermediary services, this is not applicable. Verify the BIG-IP APM module is configured as follows: Navigate to the BIG-IP System manager >> Access Policy >> Access Profiles. Click "Edit..." in the "Access Policy" column for an Access Profile used for granting access. Verify the Access Profile is configured to restrict user authentication traffic to specific authentication server(s). If the BIG-IP APM module is not configured to restrict user authentication traffic to a specific authentication server(s), this is a finding.
If user authentication intermediary services are provided, configure an access policy in the BIG-IP APM module to restrict user authentication traffic to specific authentication server(s).
If the BIG-IP APM module does not provide user authentication intermediary services, this is not applicable. Verify the BIG-IP APM is configured to use multifactor authentication for network access to non-privileged accounts. Verify the BIG-IP APM module is configured as follows: Navigate to the BIG-IP System manager >> Access Policy >> Access Profiles. Click "Edit..." in the "Access Policy" column for an Access Profile used for granting access. Verify the Access Profile is configured to use multifactor authentication for network access to non-privileged accounts. If the BIG-IP APM module is not configured to use multifactor authentication for network access to non-privileged accounts, this is a finding.
If user authentication intermediary services are provided, configure an access policy in the BIG-IP APM module to use multifactor authentication for network access to non-privileged accounts.
If the BIG-IP APM module does not provide PKI-based, user authentication intermediary services, this is not applicable. Verify the BIG-IP APM module maps the authenticated identity to the user account for PKI-based authentication. Navigate to the BIG-IP System manager >> Access Policy >> Access Profiles. Click "Edit..." in the "Access Policy" column for an Access Profile used for PKI-based authentication. Verify the Access Profile is configured to map the authenticated identity to the user account for PKI-based authentication. If the BIG-IP APM module does not map the authenticated identity to the user account for PKI-based authentication, this is a finding.
If the BIG-IP APM module provides PKI-based, user authentication intermediary services, configure a profile in the BIG-IP APM module to map the authenticated identity to the user account for PKI-based authentication.
If the BIG-IP APM module does not provide user authentication intermediary services to non-organizational users, this is not applicable. Verify the BIG-IP APM module is configured as follows: Navigate to the BIG-IP System manager >> Access Policy >> Access Profiles. Click "Edit..." in the "Access Policy" column for an Access Profile used to identify and authenticate non-organizational users. Verify the Access Profile is configured to uniquely identify and authenticate non-organizational users. If the BIG-IP APM module is not configured to uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users) when connecting to virtual servers, this is a finding.
If the BIG-IP APM module provides user authentication intermediary services to non-organizational users, configure a profile in the BIG-IP APM module to uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users) when connecting to virtual servers.
If the BIG-IP APM module does not serve as an intermediary for remote access traffic (e.g., web content filter, TLS and webmail), this is not applicable. Verify the BIG-IP APM module is configured to control remote access methods. Verify the BIG-IP APM module is configured as follows: Navigate to the BIG-IP System manager >> Access Policy >> Access Profiles. Click "Edit..." in the "Access Policy" column for an Access Profile used for managing remote access. Verify the Access Profile is configured to control remote access methods. If the BIG-IP APM module is not configured to control remote access methods, this is a finding.
If intermediary services for remote access communications traffic are provided, configure the BIG-IP APM module to control remote access methods.
If the BIG-IP APM module does not provide user authentication intermediary services, this is not applicable. Verify the BIG-IP APM module is configured as follows: Navigate to the BIG-IP System manager >> Access Policy >> Access Profiles. Click "Edit..." in the "Access Policy" column for each Access Profile used for organizational access. If the BIG-IP APM module is not configured or process is not documented to require users to reauthenticate when the user's role or information authorizations are changed, this is a finding.
Configure an access policy in the BIG-IP APM module to require users to reauthenticate when the user's role or information authorizations are changed. This will also require the administrator to force reauthentication when changes occur that the system cannot automatically detect. Update administrator training and the site's SSP to document this process.
If the BIG-IP APM module does not provide user authentication intermediary services, this is not applicable. Verify the BIG-IP APM module is configured as follows: Navigate to the BIG-IP System manager >> Access Policy >> Access Profiles. Click "Edit..." in the "Access Policy" column for an Access Profile used for remote access for non-privileged accounts. Verify the Access Profile is configured to require multifactor authentication for remote access with non-privileged accounts. If the BIG-IP APM module is not configured to require multifactor authentication for remote access to non-privileged accounts in such a way that one of the factors is provided by a device separate from the system gaining access, this is a finding.
If user authentication intermediary services are provided, configure an access policy in the BIG-IP APM module to require multifactor authentication for remote access to non-privileged accounts in such a way that one of the factors is provided by a device separate from the system gaining access.
If the BIG-IP APM module does not provide user authentication intermediary services, this is not applicable. Verify the BIG-IP APM module is configured as follows: Navigate to the BIG-IP System manager >> Access Policy >> Access Profiles. Click "Edit..." in the "Access Policy" column for an Access Profile used for remote access for privileged accounts. Verify the Access Profile is configured to require multifactor authentication for remote access with privileged accounts. If the BIG-IP APM module is not configured to require multifactor authentication for remote access to privileged accounts in such a way that one of the factors is provided by a device separate from the system gaining access, this is a finding.
If user authentication intermediary services are provided, configure an access policy in the BIG-IP APM module to require multifactor authentication for remote access to privileged accounts in such a way that one of the factors is provided by a device separate from the system gaining access.
If the BIG-IP APM module does not provide user authentication intermediary services to non-organizational users, this is not applicable. Verify the BIG-IP APM module is configured as follows: Navigate to the BIG-IP System manager >> Access Policy >> Access Profiles. Click "Edit..." in the "Access Policy" column for an Access Profile used to identify and authenticate non-organizational users. Verify the Access Profile is configured to conform to FICAM-issued profiles. If the BIG-IP APM module is not configured to conform to FICAM-issued profiles, this is a finding.
If the BIG-IP APM module provides user authentication intermediary services to non-organizational users, configure a profile in the BIG-IP APM module that conforms to FICAM-issued profiles.
Verify the BIG-IP APM module is configured to handle invalid inputs in a predictable and documented manner that reflects organizational and system objectives. This can be demonstrated by the SA sending an invalid input to a virtual server. Provide evidence that the virtual server was able to handle the invalid input and maintain operation. If the BIG-IP APM module is not configured to handle invalid inputs in a predictable and documented manner that reflects organizational and system objectives, this is a finding.
Configure the BIG-IP APM module to handle invalid inputs in a predictable and documented manner that reflects organizational and system objectives.
If the BIG-IP Am module does not provide user access control intermediary services, this is not applicable. Verify the BIG-IP APM module is configured as follows: Navigate to the BIG-IP System manager >> Access Policy >> Access Profiles. Click "Edit..." in the "Access Policy" column for an Access Profile used for organizational access. Verify the Access Profile is configured to automatically terminate user sessions when organization-defined conditions or trigger events occur that require a session disconnect. If the BIG-IP APM module is not configured to automatically terminate a user session when organization-defined conditions or trigger events occur that require a session disconnect, this is a finding.
If user access control intermediary services are provided, configure an access policy in the BIG-IP APM module to automatically terminate a user session when organization-defined conditions or trigger events occur that require a session disconnect.
If the BIG-IP APM module does not provide user access control intermediary services, this is not applicable. Verify the BIG-IP APM module is configured as follows: Navigate to the BIG-IP System manager >> Access Policy >> Access Profiles. Click "Edit..." in the "Access Policy" column for an Access Profile used for connecting to virtual servers. Verify the Access Profile is configured to display an explicit logoff message to users, indicating the reliable termination of authenticated communications sessions. If the BIG-IP APM module is not configured to display an explicit logoff message to users indicating the reliable termination of authenticated communications sessions, this is a finding.
If user access control intermediary services are provided, configure the BIG-IP APM module to display an explicit logoff message to users indicating the reliable termination of authenticated communications sessions.
If the BIG-IP APM module does not provide user authentication intermediary services, this is not applicable. Navigate to the BIG-IP System manager >> Access Policy >> Access Profiles. Click "Edit..." in the "Access Policy" column for Access Profiles used for granting access. In the "Settings" section, view the value for "Maximum Session Timeout". If the F5 BIG-IP APM module is not configured for a "Maximum Session Timeout" value of 86,400 seconds or less, this is a finding.
BIG-IP LTM controls the timeout values of sessions in the definition of an access profile. Navigate to the BIG-IP System manager >> Access Policy >> Access Profiles. Click "Edit..." in the "Access Policy" column for Access Profiles used for granting access. In the "Settings" section, set the value for "Maximum Session Timeout" to 86,400 seconds or less (24 hours or less).