Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
If CounterACT does not provide user access control intermediary services, this is not applicable. Verify CounterACT displays the Standard Mandatory DoD-approved Notice and Consent Banner before granting access to the network. 1. Log on to CounterACT’s Administrator UI. 2. Go to Tools >> Options >> User Console and Options >> Password and Logon. 3. Enable the "Display this Notice and Consent Message after login" and complete the provided text input area to have the Standard Mandatory DoD and Consent Banner before granting access to the device. This banner must include the following text: By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." If CounterACT does not display the Standard Mandatory DoD-approved Notice and Consent Banner before granting access to the network, this is a finding.
If user network access control intermediary services are provided, configure CounterACT to display the Standard Mandatory DoD-approved Notice and Consent Banner before granting access to the network. 1. Log in to CounterACT’s Administrator UI. 2. Go to Tools >> Options >> User Console and Options >> Password and Logon. 3. Enable the "Display this Notice and Consent Message after login" and complete the provided text input area to have the Standard Mandatory DoD and Consent Banner before granting access to the device. This banner must include the following text: By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."
If CounterACT does not provide user access control intermediary services, this is not applicable. Verify CounterACT retains the Standard Mandatory DoD-approved Notice and Consent Banner on the screen until users acknowledge the usage conditions and takes explicit actions to log on for further access. 1. Log in to CounterACT’s Administrator UI. 2. Go to Tools >> Options >> User Console and Options >> Password and Logon. 3. Verify the options for logon banner "require confirmation" is selected. If CounterACT does not retain the Standard Mandatory DoD-approved Notice and Consent Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access, this is a finding.
If user access control intermediary services are provided, configure CounterACT to retain the Standard Mandatory DoD-approved Notice and Consent Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access. 1. Log on to CounterACT’s Administrator UI. 2. Go to Tools >> Options >> User Console and Options >> Password and Logon. 3. Ensure the options for the logon banner "require confirmation" is selected.
If CounterACT does not provide user access control intermediary services, this is not applicable. Verify CounterACT displays the Standard Mandatory DoD-approved Notice and Consent Banner before granting access to the system. 1. Log on to CounterACT’s Administrator UI. 2. Go to Tools >> Options >> User Console and Options >> Password and Logon. 3. Enable the "Display this Notice and Consent Message after login" and complete the provided text input area to have the Standard Mandatory DoD and Consent Banner before granting access to the device. This banner must include the following text: By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." If CounterACT does not display the Standard Mandatory DoD-approved Notice and Consent Banner before granting access to the system, this is a finding.
If user access control intermediary services are provided, configure CounterACT to display the Standard Mandatory DoD-approved Notice and Consent Banner before granting access to the system. 1. Log on to CounterACT’s Administrator UI. 2. Go to Tools >> Options >> User Console and Options >> Password and Logon. 3. Enable the "Display this Notice and Consent Message after login" and complete the provided text input area to have the Standard Mandatory DoD and Consent Banner before granting access to the device. This banner must include the following text: By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."
Verify CounterACT sends an alert to, at a minimum, the ISSO and SCA when an audit processing failure occurs. 1. Log in to the CounterACT Administrator interface. 2. Select Tools >> Options. 3. Select General. 4. Select the "+" next to general to open the submenu. Select email Preferences. 5. Ensure that the ISSO/SCA email address is configuration for notifications. If CounterACT does not send an alert to, at a minimum, the ISSO and SCA when an audit processing failure occurs, this is a finding.
Configure CounterACT to send all alert notifications to, at a minimum, the ISSO and SCA when an audit processing failure occurs. 1. Log in to CounterACT’s Administrator interface. 2. Select Tools >> Options. 3. Select General. 4. Select the "+" next to general to open the submenu. Select email Preferences. 5. Ensure that the ISSO/SCA email address is configuration for notifications.
If CounterACT does not provide user authentication intermediary services, this is not applicable. Verify CounterACT is configured for NAC services authentication. 1. Connect to CounterACT’s Admin Console and log in. 2. Go to Tools >> Options >> User Directory. 3. Verify the User Directory configured for Authentication. Select the configured directory (or directories) and on the General Tab ensure the "Use for Authentication" radio button is selected. Verify with site representatives that the directory service validates user account access authorizations and privileges. If CounterACT does not use a central directory service to validate user account access authorizations and privileges, this is a finding.
If user authentication service is provided by CounterACT, configure the use of a central directory service for user authentication. Obtain configuration information for a directory service (e.g., Active Directory or LDAP) that validates user account access authorizations and privileges. 1. Connect to CounterACT’s Admin Console and log in. 2. Go to Tools >> Options >> User Directory. 3. Verify the User Directory configured for Authentication. Select the configured directory (or directories) and on the General Tab ensure the "Use for Authentication" radio button is selected.
If CounterACT does not provide user authentication intermediary services, this is not applicable. Verify CounterACT is configured to use a specific authentication server(s). 1. Connect to the CounterACT Admin Console and log in. 2. Go to Tools >> Options >> User Directory. 3. Verify the User Directory is configured for Authentication. Select the configured directory (or directories) and on the General Tab ensure the "Use for Authentication" radio button is selected. 4. Verify the Hostname is correct for the assigned directory and then select "OK". (Select "Apply" if changes were made.) 5. Select the directory and then select test. Verify both tests past. If CounterACT does not restrict user authentication traffic to a specific authentication server(s), this is a finding.
If user authentication service is provided by CounterACT, configure the use of a central directory service for user authentication. 1. Connect to the CounterACT Admin Console and log in. 2. Go to Tools >> Options >> User Directory. 3. Ensure the User Directory configured for Authentication. Select the configured directory (or directories) and on the General Tab ensure the "Use for Authentication" radio button is selected. 4. Ensure the Hostname is correct for the assigned directory and then select "OK". (Select "Apply" if changes were made.) 5. Select the directory and then select test. Ensure both tests passed.
If CounterACT does not provide user authentication intermediary services, this is not applicable. Verify CounterACT is configured to implement replay-resistant authentication mechanisms for network access to non-privileged accounts. 1. Connect to CounterACT’s Admin Console and log in. 2. Go to Tools >> Options >> User Directory. 3. Verify the User Directory is configured for secure methods of communication. On the Settings TAB ensure the "Use TLS" radio button is selected. If CounterACT does not implement replay-resistant authentication mechanisms for network access to non-privileged accounts, this is a finding.
If user authentication intermediary services are provided, configure CounterACT to implement replay-resistant authentication mechanisms for network access to non-privileged accounts. 1. Connect to CounterACT’s Admin Console and log in. 2. Go to Tools >> Options >> User Directory. 3. Ensure the User Directory is configured for secure methods of communication. On the Settings TAB ensure the "Use TLS" radio button is selected. 4. Select "OK". (Select "Apply" if changes were made.)
Verify CounterACT off-loads audit records onto a centralized log server. 1. Connect to CounterACT’s Admin Console and log in. 2. Go to Tools >> Options >> Plugins >> Syslog. 3. Verify a Syslog server is configured in the "Send To" tab. 4. On the Events Filtering Tab, ensure all radio buttons associated with NAC Events, Threat Protection, System Logs, User Operations, and Operating System messages are selected. If CounterACT does not off-load audit records onto a centralized log server, this is a finding.
Configure CounterACT to off-load audit records onto a centralized log server. 1. Connect to CounterACT’s Admin Console and log in. 2. Go to Tools >> Options >> Plugins >> Syslog. 3. Ensure a Syslog server is configured in the "Send To" tab. 4. On the Events Filtering Tab, ensure all radio buttons associated with NAC Events, Threat Protection, System Logs, User Operations, and Operating System messages are selected. 5. Select "OK". (Select "Apply" if changes were made.)
If CounterACT does not provide user authentication intermediary services, this is not applicable. Verify CounterACT is configured to require users to reauthenticate when organization-defined circumstances or situations require reauthentication. 1. Connect to CounterACT’s Admin Console and log in. 2. Go to Tools >> Options >> 802.1x. 3. Select the Pre-Admission Authorization tab. 4. On each Rule that "Accepts", verify there is an Attribute "Session-Timeout" configured to the maximum session configuration, typically 60 minutes, but not more than 120. If CounterACT does not require users to reauthenticate when organization-defined circumstances or situations require reauthentication, this is a finding.
If user access control intermediary services are provided, configure CounterACT to require users to reauthenticate when organization-defined circumstances or situations require reauthentication. 1. Connect to CounterACT’s Admin Console and log in. 2. Go to Tools >> Options >> 802.1x. 3. Select the Pre-Admission Authorization tab. 4. On each Rule that "Accepts", ensure there is an Attribute "Session-Timeout" configured to the maximum session configuration, typically 60 minutes, but not more than 120.
If CounterACT does not provide user authentication intermediary services, this is not applicable. Verify CounterACT implements multifactor authentication for remote access to non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access. 1. Connect to CounterACT’s Admin Console and log in. 2. Go to Tools >> Options >> User Directory. 3. Verify the User Directory configured for Authentication uses Multi-Factor credentials Select the configured directory (or directories) and on the General Tab verify the "Use for Authentication" radio button is selected. 4. Verify the Hostname is correct for the assigned directory then select "OK". (Select "Apply" if changes were made.) If CounterACT does not implement multifactor authentication for remote access to non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access, this is a finding.
If user authentication intermediary services are provided, configure CounterACT to implement multifactor authentication for remote access to non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access. 1. Connect to CounterACT’s Admin Console and log in. 2. Go to Tools >> Options >> User Directory. 3. Ensure the User Directory configured for Authentication uses Multi-Factor credentials Select the configured directory (or directories) and on the General Tab ensure the "Use for Authentication" radio button is selected. 4. Ensure the Hostname is correct for the assigned directory then select "OK". (Select "Apply" if changes were made.)
Verify CounterACT off-loads audit records onto a centralized log server in real time. 1. Connect to CounterACT’s Admin Console and log in. 2. Go to Tools >> Options >> Plugins >> Syslog. 3. Verify a Syslog server is configured in the "Send To" tab. 4. On the Events Filtering Tab, Verify all radio buttons associated with NAC Events, Threat Protection, System Logs, User Operations, and Operating systems messages are selected. If CounterACT does not off-load onto a centralized log server in real time, this is a finding.
Configure CounterACT to off-load onto a centralized log server in real time. 1. Connect to CounterACT’s Admin Console and log in. 2. Go to Tools >> Options >> Plugins >> Syslog. 3. Ensure a Syslog server is configured in the "Send To" tab. 4. On the Events Filtering Tab, ensure all radio buttons associated with NAC Events, Threat Protection, System Logs, User Operations, and Operating systems messages are selected.
Examine architecture documentation. Verify CounterACT implementation includes an Enterprise Manager combined with Appliances to ensure redundancy. It is also acceptable to have two appliances configured for redundancy. If CounterACT implementation does not include an Enterprise Manager combined with Appliances or a high availability solution to ensure redundancy, this is a finding.
Design and install CounterACT implementation to include an Enterprise Manager combined with one or more Appliances or a high availability solution. The Appliances will associate with the enterprise Manager or the high availability solution.