Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
Review the network device configuration to see if the device conceals information previously visible on the display with a publicly viewable image during the session lock. This can be demonstrated by the network administrator. If previously visible information is not concealed with a publicly viewable image by the session lock, this is a finding.
Configure the network device to conceal information previously visible on the display with a publicly viewable image during the session lock.
Review the network device configuration to see if it initiates a session lock after a 15-minute period of inactivity. This may be verified by configuration check or demonstration. If a session lock is not initiated after a 15-minute period of inactivity, this is a finding.
Configure the network device to initiate a session lock after a 15-minute period of inactivity.
Directly observe the management application or the console; if an administrator cannot directly initiate a session lock from either the management application or the console, this is a finding.
This is an intrinsic capability of the client application or the console. Many terminal emulation clients implement this capability through software flow control or XOFF/XON flow control.
Review the network device configuration to determine if the device retains session lock until the administrator re-authenticates. This may be verified by configuration check, demonstration, or other validation test results. If the device does not require re-authentication before releasing the session lock, this is a finding.
Configure the network device to retain session lock until the administrator re-authenticates.
Review the network device configuration to determine if it automatically audits account creation or is configured to use an authentication server which would perform this function. If account creation is not automatically audited, this is a finding.
Configure the network device or its associated authentication server to automatically audit the creation of accounts.
Check the network device to determine if account modification actions are automatically audited. This requirement may be verified by demonstration, configuration review, or validated test results. This requirement may be met through use of a properly configured authentication server if the device is configured to use the authentication server. If account modification is not automatically audited, this is a finding.
Configure the network device or its associated authentication server to automatically audit the modification of accounts.
Check the network device to determine if account disabling actions are automatically audited. This requirement may be verified by demonstration, configuration review, or validated test results. This requirement may be met through use of a properly configured authentication server if the device is configured to use the authentication server. If account disabling actions are not audited, this is a finding.
Configure the network device or its associated authentication server to automatically audit the disabling of accounts.
Check the network device to determine if account removal actions are automatically audited. This requirement may be verified by demonstration, configuration review, or validated test results. This requirement may be met through use of a properly configured authentication server if the device is configured to use the authentication server. If account removal actions are not automatically audited, this is a finding.
Configure the network device or its associated authentication server to automatically audit the removal of accounts.
If the network device is configured to use a AAA service account, and the AAA broker is configured to assign authorization levels based on centralized user account group memberships on behalf of the network device, that will satisfy this objective. Because the responsibility for meeting this objective is transferred to the AAA broker, this requirement is not applicable for the local network device. This requirement may be verified by demonstration or configuration review. Verify the network device is configured to assign appropriate user roles or access levels to authenticated users. This requirement may be verified by demonstration or configuration review. If the network device does not enforce the assigned privilege level for each administrator and authorizations for access to all commands relative to the privilege level, this is a finding.
Configure the network device to assign appropriate user roles or access levels to authenticated users, or configure the network device to leverage an AAA solution that will satisfy this objective.
Review the network device configuration to determine if it enforces approved authorizations for controlling the flow of management information within the network device based on information flow control policies. If it does not enforce these approved authorizations, this is a finding.
Configure the network device to enforce approved authorizations for controlling the flow of management information within the network device based on information flow control policies.
Review the device configuration to verify that it enforces the limit of three consecutive invalid logon attempts. If the device is not configured to enforce the limit of three consecutive invalid logon attempts, this is a finding.
Configure the network device to enforce the limit of three consecutive invalid logon attempts during a 15-minute time period.
Determine if the network device is configured to present a DoD-approved banner that is formatted in accordance with DTM-08-060. If such a banner is not presented, this is a finding. Use the following verbiage for applications that can accommodate banners of 1300 characters: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner: "I've read & consent to terms in IS user agreem't."
Configure the network device to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the device.
Determine if the network device is configured to retain the Standard Mandatory DoD Notice and Consent Banner on the screen until the administrator acknowledges the usage conditions and takes explicit actions to log on for further access. If the network device does not retain the banner on the screen until the administrator acknowledges the usage conditions and takes explicit actions to log on for further access, this is a finding.
Configure the network device to retain the Standard Mandatory DoD Notice and Consent Banner on the screen until the administrator acknowledges the usage conditions and takes explicit actions to log on for further access.
Determine if the network device protects against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation. This requires logging all administrator access and configuration activity. This requirement may be verified by demonstration or configuration review. This requirement may be met through use of a properly configured authentication server if the device is configured to use the authentication server. (Note that two-factor authentication of administrator access is needed to support this requirement.) If the network device does not protect against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation, this is a finding.
Configure the network device or its associated authentication server to protect against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation. Examples that support this include configuring the audit log to capture administration login events and configuration changes to the network device.
Determine if the network device generates audit records when successful/unsuccessful attempts to access privileges occur. If the network device does not generate audit records when successful/unsuccessful attempts to access privileges occur, this is a finding.
Configure the network device to generate audit records when successful/unsuccessful attempts to access privileges occur.
Determine if the network device initiates session auditing upon startup. This requirement may be verified by validated test results. If the network device does not initiate session auditing upon startup, this is a finding.
Configure the network device to initiate session auditing upon startup.
Determine if the network device produces audit log records containing sufficient information to establish what type of event occurred. If the network device does not produce audit log records containing sufficient information to establish what type of event occurred, this is a finding.
Configure the network device to produce audit log records containing sufficient information to establish what type of event occurred.
Determine if the network device is configured to produce audit records containing information to establish when (date and time) the events occurred. If the network device does not produce audit records containing information to establish when the events occurred, this is a finding.
Configure the network device to produce audit records containing information to establish when (date and time) the events occurred.
Determine if the network device is configured to produce audit records containing information to establish where the events occurred. If the network device does not produce audit records containing information to establish where the events occurred, this is a finding.
Configure the network device to produce audit records containing information to establish where the events occurred.
Determine if the network device is configured to produce audit records containing information to establish the source (apparent cause) of the event. If the network device does not produce audit records containing information to establish the source of the event, this is a finding.
Configure the network device to produce audit records containing information to establish the source of the event.
Determine if the network device is configured to produce audit records that contain information to establish the outcome of the event. If the network device does not produce audit records that contain information to establish the outcome of the event, this is a finding.
Configure the network device to produce audit records that contain information to establish the outcome of the event.
Determine if the network device generates audit records containing information that establishes the identity of any individual or process associated with the event. This requirement may be verified by demonstration or validated test results. If the network device does not generate audit records containing information that establishes the identity of any individual or process associated with the event, this is a finding.
Configure the network device to generate audit records containing information that establishes the identity of any individual or process associated with the event.
Determine if the network device generates audit records containing the full-text recording of privileged commands. If such audit records are not being generated, this is a finding.
Configure the network device to generate audit records containing the full-text recording of privileged commands.
Determine if the network device uses internal system clocks to generate time stamps for audit records. This requirement may be verified by demonstration, configuration, or validated test results. If the network device does not use internal system clocks to generate time stamps for audit records, this is a finding.
Configure the network device to use internal system clocks to generate time stamps for audit records.
Determine if the network device protects audit information from any type of unauthorized modification with such methods as ensuring log files receive the proper file system permissions, limiting log data locations and leveraging user permissions and roles to identify the user accessing the data and the corresponding rights that the user enjoys. This requirement may be verified by demonstration, configuration, or validated test results. If the network device does not protect audit information from unauthorized modification, this is a finding.
Configure the network device to protect audit information from unauthorized modification.
Determine if the network device protects audit information from any type of unauthorized deletion with such methods as ensuring log files receive the proper file system permissions utilizing file system protections, restricting access to log data and backing up log data to ensure log data is retained, and leveraging user permissions and roles to identify the user accessing the data and the corresponding rights the user enjoys. This requirement may be verified by demonstration, configuration, or validated test results. If the network device does not protect audit information from unauthorized deletion, this is a finding.
Configure the network device to protect audit information from unauthorized deletion.
If the network device provides audit tools, check the device to determine if it protects audit tools from unauthorized access. This requirement may be verified by demonstration, configuration review, or validated test results. If the network device does not protect its audit tools from unauthorized access, this is a finding.
Configure the network device to protect audit tools from unauthorized access.
If the network device provides audit tools, check the device to determine if it protects audit tools from unauthorized modification. This requirement may be verified by demonstration, configuration review, or validated test results. If the network device does not protect its audit tools from unauthorized modification, this is a finding.
Configure the network device to protect audit tools from unauthorized modification.
If the network device provides audit tools, check to see that the network device protects audit tools from unauthorized deletion. This requirement may be verified by demonstration, configuration review, or validated test results. If the network device does not protect its audit tools from unauthorized deletion, this is a finding.
Configure the network device to protect audit tools from unauthorized deletion.
Determine if the network device prevents the installation of patches, service packs, or application components without verification the software component has been digitally signed using a certificate that is recognized and approved by the organization. This requirement may be verified by demonstration, configuration review, or validated test results. If the network device does not prevent the installation of patches, service packs, or application components without verification the software component has been digitally signed using a certificate that is recognized and approved by the organization, this is a finding.
Configure the network device to prevent the installation of patches, service packs, or application components without verification the software component has been digitally signed using a certificate that is recognized and approved by the organization.
Determine if the network device limits privileges to change the software resident within software libraries. If it does not limit privileges to change the software resident within software libraries, this is a finding.
Configure the network device to limit privileges to change the software resident within software libraries.
Determine if the network device prohibits the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services. If any unnecessary or nonsecure functions are permitted, this is a finding.
Configure the network device to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services.
Review the network device configuration to determine if an account of last resort is configured. Verify default admin and other vendor-provided accounts are disabled, removed, or renamed where possible. Verify the username and password for the account of last resort is contained within a sealed envelope and kept in a safe. If one local account does not exist for use as the account of last resort, this is a finding.
Configure the device to only allow one local account for use as the account of last resort.
Determine if the network device ensures that administrators are authenticated with an individual authenticator prior to using a group authenticator. This requirement may be verified by demonstration, configuration review, or validated test results. If the network device does not authenticate administrators with an individual authenticator prior to using a group authenticator, this is a finding.
Configure the network device to ensure administrators are authenticated with an individual authenticator prior to using a group authenticator.
Determine if the network device implements replay-resistant authentication mechanisms for network access to privileged accounts. This requirement may be verified by demonstration, configuration review, or validated test results. This requirement may be met through use of a properly configured authentication server if the device is configured to use the authentication server. If the network device does not implement replay-resistant authentication mechanisms for network access to privileged accounts, this is a finding.
Configure the network device to implement replay-resistant authentication mechanisms for network access to privileged accounts.
Determine if the network device or its associated authentication server enforces a minimum 15-character password length. This requirement may be verified by demonstration or configuration review. If the network device or its associated authentication server does not enforce a minimum 15-character password length, this is a finding.
Configure the network device or its associated authentication server to enforce a minimum 15-character password length.
Where passwords are used, confirm that the network device and associated authentication server enforces password complexity by requiring that at least one uppercase character be used. This requirement may be verified by demonstration, configuration review, or validated test results. If the network device and associated authentication server does not require that at least one uppercase character be used in each password, this is a finding.
Configure the network device and associated authentication server to enforce password complexity by requiring that at least one uppercase character be used.
Where passwords are used, confirm that the network device and associated authentication server enforces password complexity by requiring that at least one lowercase character be used. This requirement may be verified by demonstration, configuration review, or validated test results. If the network device and associated authentication server does not require that at least one lowercase character be used in each password, this is a finding.
Configure the network device and associated authentication server to enforce password complexity by requiring that at least one lowercase character be used.
Where passwords are used, confirm that the network device and associated authentication server enforces password complexity by requiring that at least one numeric character be used. This requirement may be verified by demonstration, configuration review, or validated test results. If the network device and associated authentication server does not require that at least one numeric character be used in each password, this is a finding.
Configure the network device and associated authentication server to enforce password complexity by requiring that at least one numeric character be used.
Where passwords are used, confirm that the network device and associated authentication server enforces password complexity by requiring that at least one special character be used. This requirement may be verified by demonstration, configuration review, or validated test results. If the network device and associated authentication server does not require that at least one special character be used in each password, this is a finding.
Configure the network device and associated authentication server to enforce password complexity by requiring that at least one special character be used.
Where passwords are used, confirm the characters are changed in at least eight of the positions within the password. This requirement may be verified by demonstration, configuration review, or validated test results. If the network device and associated authentication server does not require that when a password is changed, the characters are changed in at least eight of the positions within the password, this is a finding.
Configure the network device and associated authentication server to require that when a password is changed, the characters are changed in at least eight of the positions within the password.
Review the network device’s files using a text editor or a database tool that allows viewing data stored in database tables. Determine if password strings are readable/discernable. Determine if the network device, and any associated authentication servers, enforce only storing cryptographic representations of passwords. Verify that databases, configuration files, and log files have encrypted representations of all passwords, and that no password strings are readable/discernable. Potential locations include the local file system where configurations and events are stored, or in a network device related database table. Also identify if the network device uses the MD5 hashing algorithm to create password hashes. If the network device, or any associated authentication servers, stores unencrypted (clear text) representations of passwords, this is a finding. If the network device uses MD5 hashing algorithm to create password hashes, this is a finding.
Configure the network device, and any associated authentication servers, to store all passwords using cryptographic representations. Configure all associated databases, configuration files, and log files to use only encrypted representations of passwords, and that no password strings are readable/discernable. Potential locations include the local file system where configurations and events are stored, or in a network device-related database table.
Determine if the network device or its associated authentication server transmits only encrypted representations of passwords. This requirement may be verified by demonstration or configuration review. If the network device or the associated authentication server transmits unencrypted representations of passwords, this is a finding.
Configure the network device or its associated authentication server to transmit only encrypted representations of passwords.
Determine if the network device obscures feedback of authentication information during the authentication process. This requirement may be verified by demonstration. If the network device does not obscure feedback of authentication information during the authentication process, this is a finding.
Configure the network device to obscure feedback of authentication information during the authentication process.
Determine if the network device uses FIPS 140-2 approved algorithms for authentication to a cryptographic module. If the network device is not configured to use a FIPS-approved authentication algorithm to a cryptographic module, this is a finding.
Configure the network device to use FIPS 140-2 approved algorithms for authentication to a cryptographic module.
Determine if the network device terminates the connection associated with a device management session at the end of the session or after five minutes of inactivity. This requirement may be verified by demonstration or configuration review. If the network device does not terminate the connection associated with a device management session at the end of the session or after five minutes of inactivity, this is a finding.
Configure the network device to terminate the connection associated with a device management session at the end of the session or after five minutes of inactivity.
If the network device uses a web interface for device management, determine if the network device invalidates session identifiers upon administrator logout or other session termination. This requirement may be verified by validated test results. If the network device does not invalidate session identifiers upon administrator logout or other session termination, this is a finding.
Configure the network device to invalidate session identifiers upon administrator logout or other session termination.
If the network device uses a web interface for device management, determine if it recognizes only system-generated session identifiers. This requirement may be verified by demonstration, configuration review, or validated test results. If the network device recognizes other session identifiers than the system-generated ones, this is a finding.
Configure the network device to recognize only system-generated session identifiers.
If the network device uses a web interface for device management, determine if it generates unique session identifiers using a FIPS 140-2 approved random number generator. This requirement may be verified by validated NIST certification and vendor documentation. If the network device does not use unique session identifiers for its web interface for device management, this is a finding.
Configure the network device to generate unique session identifiers using a FIPS 140-2 approved random number generator.
List the contents of the network device’s local storage, including any drives supporting removable media (such as flash drives or CDs) and check the file permissions of all files on those drives. If any files allow read or write access by accounts not specifically authorized access or by non-privileged accounts, this is a finding.
Set the file permissions on files on the network device or on removable media used by the device so that only authorized administrators can read or change their contents.
Review the network device configuration to determine if it is configured to enable a logout for administrator-initiated communication sessions. If the network device is not configured to provide a logout mechanism for these sessions, this is a finding.
Configure the network device to provide a logout capability for administrator-initiated communication sessions.
This requirement may be verified by demonstration. If an explicit logoff message is not displayed, or provides clear evidence that the session has been terminated, this is a finding.
Configure the network device to display an explicit logoff message to administrators indicating the reliable termination of authenticated communications sessions. This may be a capability the device is inherently capable of.
Determine if the network device terminates shared/group account credentials when members leave the group. This requirement may be verified by demonstration, configuration review, or validated test results. This requirement may be met through use of a properly configured authentication server if the device is configured to use the authentication server. This requirement is not applicable if the device does not support shared/group credentials. If the network device does not terminate shared/group credentials when members leave the group, this is a finding.
Configure the network device to terminate shared/group account credentials when members leave the group.
Determine if the network device automatically audits account enabling actions. This requirement may be verified by demonstration, configuration review, or validated test results. This requirement may be met through use of a properly configured authentication server if the device is configured to use the authentication server. If account enabling actions are not automatically audited, this is a finding.
Configure the network device or its associated authentication server to automatically audit account enabling actions.
Check the network device to determine if organization-defined discretionary access control policies are enforced over defined subjects and objects. If it does not use discretionary access control, this is not a finding. If organization-defined discretionary access control policies are not enforced over defined subjects and objects, this is a finding.
Configure the network device to enforce organization-defined discretionary access control policies over defined subjects and objects.
Determine if the network device enforces role-based access control policy over defined subjects and objects. This requirement may be verified by demonstration, configuration review, or validated test results. This requirement may be met through use of a properly configured authentication server if the device is configured to use the authentication server. If role-based access control policy is not enforced over defined subjects and objects, this is a finding.
Configure the network device or its associated authentication server to enforce role-based access control policy over defined subjects and objects.
Determine if the network device prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. This requirement may be verified by demonstration, configuration review, or validated test results. If the network device does not prevent non-privileged users from executing privileged functions, this is a finding.
Configure the network device to prevent non-privileged users from executing privileged functions.
Determine if the network device audits the execution of privileged functions. This requirement may be verified by demonstration, configuration review, or validated test results. If the network device does not audit the execution of privileged functions, this is a finding.
Configure the network device to audit the execution of privileged functions.
Determine if the network device allocates audit record storage capacity in accordance with organization-defined audit record storage requirements. This requirement may be verified by configuration review or vendor-provided information. This requirement may be met through use of a properly configured syslog server if the device is configured to use the syslog server. If audit record store capacity is not allocated in accordance with organization-defined audit record storage requirements, this is a finding.
Configure the network device to allocate audit record storage capacity in accordance with organization-defined audit record storage requirements.
Determine if the network device generates an immediate alert of all audit failure events requiring real-time alerts. This requirement may be verified by configuration review or validated test results. If an immediate alert of all audit failure events requiring real-time alerts is not generated, this is a finding.
Configure the network device to generate an immediate real-time alert of all audit failure events requiring real-time alerts.
Determine if the network device records time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT). This requirement may be verified by demonstration or configuration review. If the network device does not record time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT), this is a finding.
Configure the network device to record time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).
Determine if the network device records time stamps for audit records that meet a granularity of one second for a minimum degree of precision. This requirement may be verified by demonstration or configuration. If the network device does not record time stamps for audit records that meet a granularity of one second for a minimum degree of precision, this is a finding.
Configure the network device to record time stamps for audit records that meet a granularity of one second for a minimum degree of precision.
Determine if the network device prohibits installation of software without explicit privileged status. This requirement may be verified by demonstration or configuration review. If installation of software is not prohibited without explicit privileged status, this is a finding.
Configure the network device to prohibit installation of software without explicit privileged status.
Determine if the network device enforces access restrictions associated with changes to device configuration. If the network device does not enforce such access restrictions, this is a finding.
Configure the network device to enforce access restrictions associated with changes to device configuration.
Determine if the network device audits the enforcement actions used to restrict access associated with changes to the device. This requirement may be verified by demonstration, configuration review or validated test results. If the network device does not audit the enforcement actions used to restrict access associated with changes to the device, this is a finding.
Configure the network device to audit the enforcement actions used to restrict access associated with changes to the device.
Review the network device configuration to verify SNMP messages are authenticated using a FIPS-validated Keyed-Hash Message Authentication Code (HMAC). If the network device is not configured to authenticate SNMP messages using a FIPS-validated HMAC, this is a finding.
Configure the network device to authenticate SNMP messages using a FIPS-validated Keyed-Hash Message Authentication Code (HMAC).
Review the network device configuration to determine if the network device authenticates NTP endpoints before establishing a local, remote, or network connection using authentication that is cryptographically based. If the network device does not authenticate Network Time Protocol sources using authentication that is cryptographically based, this is a finding.
Configure the network device to authenticate Network Time Protocol sources using authentication that is cryptographically based.
Review the network device configuration to determine if the network device or its associated authentication server prohibits the use of cached authenticators after an organization-defined time period. If cached authenticators are used after an organization-defined time period, this is a finding.
Configure the network device or its associated authentication server to prohibit the use of cached authenticators after an organization-defined time period.
Determine if the network device restricts the use of maintenance functions to authorized personnel only. If other personnel can use maintenance functions on the network device, this is a finding.
Configure the network device to restrict use of maintenance functions to authorized personnel only.
Verify the network device uses FIPS-validated HMAC to protect the integrity of nonlocal maintenance and diagnostic communications. If the network device does not use FIPS-validated HMAC to protect the integrity of nonlocal maintenance and diagnostic communications, this is a finding.
Configure the network device to use FIPS-validated HMAC to protect the integrity of nonlocal maintenance and diagnostic communications.
Review the network device configuration to determine if cryptographic mechanisms are implemented using a FIPS 140-2 approved algorithm to protect the confidentiality of remote maintenance sessions If the network device is not configured to implement cryptographic mechanisms to protect the confidentiality of remote maintenance sessions using a FIPS 140-2 approved algorithm, this is a finding.
Configure the network device to implement cryptographic mechanisms to protect the confidentiality of remote maintenance sessions using a FIPS 140-2 approved algorithm.
Determine if the network device protects against or limits the effects of all known types of DoS attacks by employing organization-defined security safeguards. If the network device does not protect against or limit the effects of all known types of DoS attacks by employing organization-defined security safeguards, this is a finding.
Configure the network device to protect against or limit the effects of all known types of DoS attacks by employing organization-defined security safeguards.
Check the network device to determine if organization-defined mandatory access control policies are enforced over all subjects and objects. If it does not use mandatory access control, this is not a finding. If organization-defined mandatory access control policies are not enforced over all subjects and objects, this is a finding.
Configure the network device to enforce organization-defined mandatory access control policies over all subjects and objects.
Determine if the network device generates audit records when successful/unsuccessful attempts to modify administrator privileges occur. If the network device does not generate audit records when successful/unsuccessful attempts to modify administrator privileges occur, this is a finding.
Configure the network device to generate audit records when successful/unsuccessful attempts to modify administrator privileges occur.
Determine if the network device generates audit records when successful/unsuccessful attempts to delete administrator privileges occur. If the network device does not generate audit records when successful/unsuccessful attempts to delete administrator privileges occur, this is a finding.
Configure the network device to generate audit records when successful/unsuccessful attempts to delete administrator privileges occur.
Determine if the network device generates audit records when successful/unsuccessful logon attempts occur. If it does not generate audit records when successful/unsuccessful logon attempts occur, this is a finding.
Configure the network device to generate audit records when successful/unsuccessful logon attempts occur.
Determine if the network device generates audit records for privileged activities or other system-level access. If the network device does not generate audit records for privileged activities or other system-level access, this is a finding.
Configure the network device to generate audit records for privileged activities or other system-level access.
Determine if the network device generates audit records showing starting and ending time for administrator access to the system. If the network device does not generate audit records showing starting and ending time for administrator access to the system, this is a finding.
Configure the network device to generate audit records showing starting and ending time for administrator access to the system.
Determine if the network device generates audit records when concurrent logons from different workstations occur. If the network device does not generate audit records when concurrent logons from different workstations occur, this is a finding.
Configure the network device to generate audit records when concurrent logons from different workstations occur.
Check the network device configuration to determine if the device off-loads audit records onto a different system or media than the system being audited. If the device does not off-load audit records onto a different system or media, this is a finding.
Configure the network device to off-load audit records onto a different system or media than the system being audited.
Determine if the network device generates audit log events for a locally developed list of auditable events. If the network device is not configured to generate audit log events for a locally developed list of auditable events, this is a finding.
Configure the network device to generate audit log events for a locally developed list of auditable events.
Check the network device to determine if only authorized administrators have permissions for changes, deletions and updates on the network device. Inspect the maintenance log to verify changes are being made only by the system administrators. If unauthorized users are allowed to change the hardware or software, this is a finding.
Configure the network device to enforce access restrictions associated with changes to the system components.
Review the network device configuration to verify that the device is configured to use at least two authentication servers as primary source for authentication. If the network device is not configured to use at least two authentication servers for the purpose of authenticating users prior to granting administrative access, this is a finding.
Step 1: Configure the network device to use at least two authentication servers. Step 2: Configure the authentication order to use the authentication servers as primary source for authentication. Step 3: Configure all network connections associated with a device management to use the authentication servers for the purpose of login authentication.
Review the network device configuration to determine if the device is configured to conduct backups of system-level information contained in the information system when changes occur. If the network device is not configured to conduct backups of system-level data when changes occur, this is a finding.
Configure the network device to conduct backups of system-level information contained in the information system when changes occur.
Review the network device backup configuration to determine if the network device backs up the information system documentation, including security-related documentation, when changes occur or weekly, whichever is sooner. If the network device does not backup the information system documentation, including security-related documentation, when changes occur or weekly, whichever is sooner, this is a finding.
Configure the network device to conduct backups of information system documentation, including security-related documentation, when changes occur or weekly, whichever is sooner.
Determine if the network device obtains public key certificates from an appropriate certificate policy through an approved service provider. If the network device does not obtain its public key certificates from an appropriate certificate policy through an approved service provider, this is a finding.
Configure the network device to obtain its public key certificates from an appropriate certificate policy through an approved service provider.
Review the network device configuration to see if the device limits the number of concurrent sessions to an organization-defined number for all administrator accounts and/or administrator account types. If the network device does not limit the number of concurrent sessions to an organization-defined number for each administrator account and/or administrator account type, this is a finding.
Configure the network device to limit the number of concurrent sessions to an organization-defined number for all administrator accounts and/or administrator account types.
Verify that the network device is configured to send log data to at least two central log servers. If the network device is not configured to send log data to at least two central log servers, this is a finding.
Configure the network device to send log data to at least two central log servers.
Verify that the network device is in compliance with this requirement. If the network device is not running an operating system release that is currently supported by the vendor, this is a finding.
Upgrade the network device to an operating system that is supported by the vendor.
Determine if the network device is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not configured in accordance with the designated security configuration settings, this is a finding.
Configure the network device to be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
Verify the network device is configured to use DoD PKI as MFA for interactive logins. Evidence of successful configuration is usually indicated by a prompt for the user to insert a smartcard. If the smartcard is already inserted, the network device will prompt the user to enter the corresponding PIN which unlocks the certificate keystore on the smartcard. If the network device is not configured to use DoD PKI as MFA for interactive logins, this is a finding. If the PKI authenticated user is not mapped to the effective local user account this is a finding . Note: Alternative MFA solutions for network devices with basic user interfaces (e.g., L2 switch with only SSH access) have been evaluated by the ICAM Configuration Control Board and DoD ICAM Governance Structure. Current alternatives include RSA SecureID tokens and YubiKey U2F/CTAP1 tokens. To use an alternative MFA solution, a business case and risk assessment must be presented to the Authorizing Official (AO) for review and acceptance. AOs may choose to accept the risk of using one of these alternatives in a target environment based on the business case that was presented. If so, it is the responsibility of the AO to determine if the risk should be downgraded to a CAT II or a CAT III based on the risk assessment of the target environment. If DoD PKI is not used but the network device makes use of an alternative FIPS 140-2 compliant, Cryptographic Module Validation Program (CMVP) validated password solution, then this requirement can be downgraded to a CAT III. Note: Other mitigation strategies which have not been evaluated by the DoD PUWG may include the use of one or more industry solutions. One-time password/PIN/passcodes (OTP), one-time URLs, time-based tokens, and biometrics are examples of such solutions. While AOs may choose to accept the risk of using these alternatives on a case-by-case basis, for DoD the risk of using these alternatives should never be mitigated below a CAT II. Note: This requirement is not applicable to the emergency account of last resort nor for service accounts (non-interactive users). Examples of service accounts include remote service brokers such as AAA, syslog, etc.
Configure the network device to use DoD PKI as MFA for interactive logins.
Verify the network device is configured to validate certificates used for PKI-based authentication using DoD approved OCSP or CRL resources. If the network device is not configured to validate certificates used for PKI-based authentication using DoD approved OCSP or CRL sources, this is a finding. Note: This requirement may be not applicable if the network device is not configured to use DoD PKI as multi-factor authentication for interactive logins. In that scenario, this requirement should be included as part of the business case and discussion with the AO who is required to accept the risk of the alternative solution. However, if alternative DoD or AO approved solutions are employed which still rely on some form of PKI (digital certificates), this requirement should be tailored to configure certificate validation of the accepted solution. An example may be the reinforcement of a list of explicitly allowed, unique per user, session certificates that are both configured on the devices and documented with the ISSO and ISSM (implying that all other certificates are also explicitly forbidden).
Configure the network device to validate certificates used for PKI-based authentication using DoD approved OCSP or CRL sources.
If PKI-based authentication is not used as the MFA solution for interactive logins, this requirement is not applicable. If the network device is configured to use a AAA service account, and the AAA broker is configured to map validated certificates to centralized user accounts on behalf of the network device, that will satisfy this objective. Because the responsibility for meeting this objective is transferred to the AAA broker, this requirement is not applicable for the local network device. This requirement may be verified by demonstration or configuration review. Verify the network device is configured to map each validated certificate to a unique, centralized user account for all interactive users. If the network device is not configured to map each validated certificate to a unique, centralized user account for all interactive users, this is a finding. Note: If local user accounts are used on the device, this requirement cannot be met in its entirety and it is a permanent finding. This may be the case if AO’s choose to accept the risk of using local accounts on network devices for small, isolated environments where centralized directory services are not available in the infrastructure or where they are not cost effective to implement and maintain. In such cases, this requirement can be mitigated to a CAT III if the network device is configured to map each validated certificate to a unique, local user account for all interactive users. Note: This requirement is not applicable to the emergency account of last resort nor for service accounts (non-interactive users). Examples of service accounts include remote service brokers such as AAA, syslog, etc.
Configure the network device to use a AAA service account whereby the remote AAA broker will map the validated certificate used for PKI-based authentication to a centrally managed, interactive user account. Alternatively, for organizations who choose to accept the risk and permanent finding, configure the network device to map the validated certificate used for PKI-based authentication to a unique, local, interactive user account.
Obtain evidence that software updates are consistently applied to the network device within the time frame defined for each patch. If such evidence cannot be obtained, or the evidence that is obtained indicates a pattern of noncompliance, this is a finding. If the network device does not install security-relevant updates within the time period directed by the authoritative source, this is a finding.
Institute and adhere to policies and procedures to ensure that patches are consistently applied to the network device within the time allowed.
Verify the network device is configured to disable accounts when the accounts have expired. If the network device is not configured to disable accounts when the accounts have expired, this is a finding.
Configure the network device to disable accounts when the accounts have expired.
Verify the network device is configured to disable accounts when the accounts are no longer associated to a user. If the network device is not configured to disable accounts when the accounts are no longer associated to a user, this is a finding.
Configure the network device to disable accounts when the accounts are no longer associated to a user.
Verify the network device is configured to alert organization-defined personnel or roles upon detection of unauthorized access, modification, or deletion of audit information. If the network device is not configured to alert organization-defined personnel or roles upon detection of unauthorized access, modification, or deletion of audit information, this is a finding.
Configure the network device to alert organization-defined personnel or roles upon detection of unauthorized access, modification, or deletion of audit information.
Verify the network device is configured to implement multifactor authentication for local; network; and/or remote access to privileged accounts; and/or nonprivileged accounts such that one of the factors is provided by a device separate from the system gaining access. If the network device is not configured to implement multifactor authentication for local; network; and/or remote access to privileged accounts; and/or nonprivileged accounts such that one of the factors is provided by a device separate from the system gaining access, this is a finding.
Configure the network device to implement multifactor authentication for local; network; and/or remote access to privileged accounts; and/or nonprivileged accounts such that one of the factors is provided by a device separate from the system gaining access.
Verify the network device is configured to implement multifactor authentication for local; network; and/or remote access to privileged accounts; and/or nonprivileged accounts such that the device meets organization-defined strength of mechanism requirements. If the network device is not configured to implement multifactor authentication for local; network; and/or remote access to privileged accounts; and/or nonprivileged accounts such that the device meets organization-defined strength of mechanism requirements, this is a finding.
Configure the network device to implement multifactor authentication for local; network; and/or remote access to privileged accounts; and/or nonprivileged accounts such that the device meets organization-defined strength of mechanism requirements.
Verify the network device is configured to maintain a list of commonly used, expected, or compromised passwords on an organization-defined frequency. If the network device is not configured to maintain a list of commonly used, expected, or compromised passwords on an organization-defined frequency, this is a finding.
Configure the network device to maintain a list of commonly used, expected, or compromised passwords on an organization-defined frequency.
Verify the network device is configured to update the list of passwords on an organization-defined frequency. If the network device is not configured to update the list of passwords on an organization-defined frequency, this is a finding.
Configure the network device to update the list of passwords on an organization-defined frequency.
Verify the network device is configured to update the list of passwords when organizational passwords are suspected to have been compromised directly or indirectly. If the network device is not configured to update the list of passwords when organizational passwords are suspected to have been compromised directly or indirectly, this is a finding.
Configure the network device to update the list of passwords when organizational passwords are suspected to have been compromised directly or indirectly.
Verify the network device is configured to verify when users create or update passwords, that the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5 (1) (a). If the network device is not configured to verify when users create or update passwords, that the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5 (1) (a), this is a finding.
Configure the network device to verify when users create or update passwords, that the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5 (1) (a).
Verify the network device is configured to require immediate selection of a new password upon account recovery. If the network device is not configured to require immediate selection of a new password upon account recovery, this is a finding.
Configure the network device to require immediate selection of a new password upon account recovery.
Verify the network device is configured to allow user selection of long passwords and passphrases, including spaces and all printable characters. If the network device is not configured to allow user selection of long passwords and passphrases, including spaces and all printable characters, this is a finding.
Configure the network device to allow user selection of long passwords and passphrases, including spaces and all printable characters.
Verify the network device is configured to employ automated tools to assist the user in selecting strong password authenticators. If the network device is not configured to employ automated tools to assist the user in selecting strong password authenticators, this is a finding.
Configure the network device to employ automated tools to assist the user in selecting strong password authenticators.
Verify the network device is configured to implement a local cache of revocation data to support path discovery and validation. If the network device is not configured to implement a local cache of revocation data to support path discovery and validation, this is a finding.
Configure the network device to implement a local cache of revocation data to support path discovery and validation.
Verify the network device is configured to protect nonlocal maintenance sessions by separating the maintenance session from other network sessions with the system by logically separated communications paths. If the network device is not configured to protect nonlocal maintenance sessions by separating the maintenance session from other network sessions with the system by logically separated communications paths, this is a finding.
Configure the network device to protect nonlocal maintenance sessions by separating the maintenance session from other network sessions with the system by logically separated communications paths.
Verify the network device is configured to include only approved trust anchors in trust stores or certificate stores managed by the organization. If the network device is not configured to include only approved trust anchors in trust stores or certificate stores managed by the organization, this is a finding.
Configure the network device to include only approved trust anchors in trust stores or certificate stores managed by the organization.
Verify the network device is configured to provide protected storage for cryptographic keys with organization-defined safeguards and/or hardware protected key store. If the network device is not configured to provide protected storage for cryptographic keys with organization-defined safeguards and/or hardware protected key store, this is a finding.
Configure the network device to provide protected storage for cryptographic keys with organization-defined safeguards and/or hardware protected key store.
Verify the network device is configured to synchronize system clocks within and between systems or system components. If the network device is not configured to synchronize system clocks within and between systems or system components, this is a finding.
Configure the network device to synchronize system clocks within and between systems or system components.
Verify the network device is configured to compare the internal system clocks on an organization-defined frequency with organization-defined authoritative time source. If the network device is not configured to compare the internal system clocks on an organization-defined frequency with organization-defined authoritative time source, this is a finding.
Configure the network device to compare the internal system clocks on an organization-defined frequency with organization-defined authoritative time source.