Network WLAN Controller Management V7R1

b

The network device must enforce a minimum 15-character password length.

IA-5 - Medium - CCI-000205 - V-243189 - SV-243189r720022_rule

RMF Control

IA-5

Severity

M

CCI

CCI-000205

Version

WLAN-ND-000200

Vuln IDs

V-243189

Rule IDs

SV-243189r720022_rule

Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.

Checks: C-46464r720020_chk

Review the network device configuration to determine if the network device is configured with a password of at least 15 characters. If the network device password is not at least 15 characters in length, this is a finding.

Fix: F-46421r720021_fix

Configure the network device so it will require a password to gain administrative access to the device. Configure the password length to at least 15 characters.

b

The network device must not have any default manufacturer passwords when deployed.

IA-5 - Medium - CCI-002041 - V-243190 - SV-243190r720025_rule

RMF Control

IA-5

Severity

M

CCI

CCI-002041

Version

WLAN-ND-000300

Vuln IDs

V-243190

Rule IDs

SV-243190r720025_rule

Network devices not protected with strong password schemes provide the opportunity for anyone to crack the password and gain access to the device, which can result in loss of availability, confidentiality, or integrity of network traffic. Many default vendor passwords are well known or easily guessed; therefore, not removing them prior to deploying the network device into production provides an opportunity for a malicious user to gain unauthorized access to the device.

Checks: C-46465r720023_chk

Review the network device configuration to determine if the vendor default password is active. If any vendor default passwords are used on the device, this is a finding.

Fix: F-46422r720024_fix

Remove any vendor default passwords from the network device configuration.

b

The network device must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the device.

AC-8 - Medium - CCI-000048 - V-243191 - SV-243191r720028_rule

RMF Control

AC-8

Severity

M

CCI

CCI-000048

Version

WLAN-ND-000400

Vuln IDs

V-243191

Rule IDs

SV-243191r720028_rule

All network devices must present a DoD-approved warning banner prior to a system administrator logging on. The banner should warn any unauthorized user not to proceed. It also should provide clear and unequivocal notice to both authorized and unauthorized personnel that access to the device is subject to monitoring to detect unauthorized usage. Failure to display the required logon warning banner prior to logon attempts limits DoD's ability to prosecute unauthorized access and also presents the potential for criminal and civil liability for systems administrators and information systems managers. In addition, DISA's ability to monitor the device's usage is limited unless a proper warning banner is displayed. DoD CIO has issued new, mandatory policy standardizing the wording of "notice and consent" banners and matching user agreements for all Secret and below DoD information systems, including stand-alone systems by releasing DoD CIO Memo, "Policy on Use of Department of Defense (DoD) Information Systems Standard Consent Banner and User Agreement", dated 9 May 2008. The banner is mandatory and deviations are not permitted except as authorized in writing by the Deputy Assistant Secretary of Defense for Information and Identity Assurance. Implementation of this banner verbiage is further directed to all DoD components for all DoD assets via USCYBERCOM CTO 08-008A.

Checks: C-46466r720026_chk

Review the device configuration or request that the administrator log on to the device and observe the terminal. Verify either Option A or Option B (for systems with character limitations) of the Standard Mandatory DoD Notice and Consent Banner is displayed at logon. The required banner verbiage follows and must be displayed verbatim: Option A You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. Option B If the system is incapable of displaying the required banner verbiage due to its size, a smaller banner must be used. The mandatory verbiage follows: "I've read & consent to terms in IS user agreem't." If the device configuration does not have a logon banner as stated above, this is a finding.

Fix: F-46423r720027_fix

Configure all management interfaces to the network device to display the DoD-mandated warning banner verbiage at logon regardless of the means of connection or communication. The required banner verbiage that must be displayed verbatim as follows: Option A You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. Option B If the system is incapable of displaying the required banner verbiage due to its size, a smaller banner must be used. The mandatory verbiage follows: "I've read & consent to terms in IS user agreem't."

c

The network device must terminate all network connections associated with a device management session at the end of the session, or the session must be terminated after 10 minutes of inactivity except to fulfill documented and validated mission requirements.

SC-10 - High - CCI-001133 - V-243192 - SV-243192r720031_rule

RMF Control

SC-10

Severity

H

CCI

CCI-001133

Version

WLAN-ND-000500

Vuln IDs

V-243192

Rule IDs

SV-243192r720031_rule

Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. Quickly terminating an idle session will also free up resources committed by the managed network element. Terminating network connections associated with communications sessions includes, for example, deallocating associated TCP/IP address/port pairs at the operating system level or deallocating networking assignments at the application level if multiple application sessions are using a single, operating system-level network connection. This does not mean that the device terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session.

Checks: C-46467r720029_chk

Review the management connection for administrative access and verify the network device is configured to time-out the connection at 10 minutes or less of inactivity. If the device does not terminate inactive management connections at 10 minutes or less, this is a finding.

Fix: F-46424r720030_fix

Configure the network devices to ensure the timeout for unattended administrative access connections is no longer than 10 minutes.

b

The network device must be configured to authenticate each administrator prior to authorizing privileges based on assignment of group or role.

IA-2 - Medium - CCI-000770 - V-243193 - SV-243193r720034_rule

RMF Control

IA-2

Severity

M

CCI

CCI-000770

Version

WLAN-ND-000600

Vuln IDs

V-243193

Rule IDs

SV-243193r720034_rule

To ensure individual accountability and prevent unauthorized access, administrators must be individually identified and authenticated. Individual accountability mandates that each administrator is uniquely identified. A group authenticator is a shared account or some other form of authentication that allows multiple unique individuals to access the network device using a single account. If a device allows or provides for group authenticators, it must individually authenticate administrators prior to implementing group authenticator functionality. Some devices may not have the need to provide a group authenticator; this is considered a matter of device design. Where the device design includes the use of a group authenticator, this requirement will apply. This requirement applies to accounts created and managed on or by the network device.

Checks: C-46468r720032_chk

Review the network device configuration and validate that users are authenticated before they are assigned privileges based on the role or group the account is assigned to. If a user can gain access to network device privileges before they are authenticated, this is a finding.

Fix: F-46425r720033_fix

Configure the network device to authenticate users before assigning privileges to each individual user account based on the role or group the account is assigned to.

c

The network device must enforce the assigned privilege level for each administrator and authorizations for access to all commands relative to the privilege level in accordance with applicable policy for the device.

AC-3 - High - CCI-000213 - V-243194 - SV-243194r720037_rule

RMF Control

AC-3

Severity

H

CCI

CCI-000213

Version

WLAN-ND-000700

Vuln IDs

V-243194

Rule IDs

SV-243194r720037_rule

To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Network devices use access control policies and enforcement mechanisms to implement this requirement. Access control policies include identity-based policies, role-based policies, and attribute-based policies. Access enforcement mechanisms include access control lists, access control matrices, and cryptography. These policies and mechanisms must be employed by the network device to control access between administrators (or processes acting on behalf of administrators) and objects (e.g., device commands, files, records, processes) in the network device.

Checks: C-46469r720035_chk

Review the accounts authorized for access to the network device. Determine if the accounts are assigned the lowest privilege level necessary to perform assigned duties. User accounts must be set to a specific privilege level, which can be mapped to specific commands or a group of commands. Authorized accounts should have the least privilege level unless deemed necessary for assigned duties. If authorized accounts are assigned to greater privileges than necessary, this is a finding.

Fix: F-46426r720036_fix

Configure authorized accounts with the least privilege rule. Each user will have access to only the privileges they require to perform their assigned duties.

c

The network device must be configured to implement cryptographic mechanisms using a FIPS 140-2 approved algorithm to protect the confidentiality of remote maintenance sessions.

MA-4 - High - CCI-003123 - V-243195 - SV-243195r720040_rule

RMF Control

MA-4

Severity

H

CCI

CCI-003123

Version

WLAN-ND-000800

Vuln IDs

V-243195

Rule IDs

SV-243195r720040_rule

This requires the use of secure protocols instead of their unsecured counterparts, such as SSH instead of telnet, SCP instead of FTP, and HTTPS instead of HTTP. If unsecured protocols (lacking cryptographic mechanisms) are used for sessions, the contents of those sessions will be susceptible to eavesdropping, potentially putting sensitive data (including administrator passwords) at risk of compromise and potentially allowing hijacking of maintenance sessions.

Checks: C-46470r720038_chk

Review the network device configuration to verify only secure protocols using FIPS 140-2 validated cryptographic modules are used for any administrative access. Some of the secure protocols used for administrative and management access are listed below. This list is not all inclusive and represents a sample selection of secure protocols. - SSHv2 - SCP - HTTPS using TLS If management connections are established using protocols without FIPS 140-2 validated cryptographic modules, this is a finding.

Fix: F-46427r720039_fix

Configure the network device to use secure protocols with FIPS 140-2 validated cryptographic modules.

b

The network device must generate audit records when successful/unsuccessful logon attempts occur.

AU-12 - Medium - CCI-000172 - V-243196 - SV-243196r720043_rule

RMF Control

AU-12

Severity

M

CCI

CCI-000172

Version

WLAN-ND-000900

Vuln IDs

V-243196

Rule IDs

SV-243196r720043_rule

Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the network device (e.g., module or policy filter).

Checks: C-46471r720041_chk

Review the configuration to verify all attempts to access the device via management connection are logged. If management connection attempts are not logged, this is a finding.

Fix: F-46428r720042_fix

Configure the device to log all access attempts to the device to establish a management connection for administrative access.

c

The network device must be running an operating system release that is currently supported by the vendor.

CM-6 - High - CCI-000366 - V-243197 - SV-243197r720046_rule

RMF Control

CM-6

Severity

H

CCI

CCI-000366

Version

WLAN-ND-001000

Vuln IDs

V-243197

Rule IDs

SV-243197r720046_rule

Network devices running an unsupported operating system lack current security fixes required to mitigate the risks associated with recent vulnerabilities.

Checks: C-46472r720044_chk

Have the administrator display the operating system version in operation. The operating system must be current, with related IAVMs addressed. If the device is using an OS that does not meet all IAVMs or is not currently supported by the vendor, this is a finding.

Fix: F-46429r720045_fix

Update the operating system to a supported version that addresses all related IAVMs.

c

The network device must be configured to use an authentication server to authenticate users prior to granting administrative access.

CM-6 - High - CCI-000366 - V-243198 - SV-243198r720049_rule

RMF Control

CM-6

Severity

H

CCI

CCI-000366

Version

WLAN-ND-001100

Vuln IDs

V-243198

Rule IDs

SV-243198r720049_rule

Centralized management of authentication settings increases the security of remote and nonlocal access methods. This is particularly important protection against the insider threat. With robust centralized management, audit records for administrator account access to the organization's network devices can be more readily analyzed for trends and anomalies. The alternative method of defining administrator accounts on each device exposes the device configuration to remote access authentication attacks and system administrators with multiple authenticators for each network device.

Checks: C-46473r720047_chk

Review the network device configuration to verify all management connections use an authentication server for administrative access. If the network device is not configured to use an authentication server for management access, this is a finding.

Fix: F-46430r720048_fix

Configure authentication for all management connections using an authentication server.

b

The network device must be configured to authenticate SNMP messages using a FIPS-validated Keyed-Hash Message Authentication Code (HMAC).

IA-3 - Medium - CCI-001967 - V-243199 - SV-243199r720052_rule

RMF Control

IA-3

Severity

M

CCI

CCI-001967

Version

WLAN-ND-001200

Vuln IDs

V-243199

Rule IDs

SV-243199r720052_rule

Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Bidirectional authentication provides stronger safeguards to validate the identity of other devices for connections that are of greater risk. A local connection is any connection with a device communicating without the use of a network. A network connection is any connection with a device that communicates through a network (e.g., local area or wide area network, internet). A remote connection is any connection with a device communicating through an external network (e.g., the internet). Because of the challenges of applying this requirement on a large scale, organizations are encouraged to only apply the requirement to those limited number (and types) of devices that truly need to support this capability.

Checks: C-46474r720050_chk

Review the device configuration to verify it is configured to use SNMPv3 with both SHA authentication and privacy using AES encryption. Downgrades: If the site is using Version 1 or Version 2 with all of the appropriate patches and has developed a migration plan to implement the Version 3 Security Model, this finding can be downgraded to a CAT II. If the site is using Version 1 or Version 2 and has installed all of the appropriate patches or upgrades to mitigate any known security vulnerabilities, this finding can be downgraded to a CAT II. In addition, if the device does not support SNMPv3, this finding can be downgraded to a CAT II provided all of the appropriate patches to mitigate any known security vulnerabilities have been applied and a migration plan has been developed that includes the device upgrade to support Version 3 and the implementation of the Version 3 Security Model. If the device is configured to use to anything other than SNMPv3 with at least SHA-1 and AES, this is a finding. Downgrades can be determined based on the criteria above.

Fix: F-46431r720051_fix

If SNMP is enabled, configure the network device to use SNMP Version 3 Security Model with FIPS 140-2 validated cryptography (i.e., SHA authentication and AES encryption).

b

The network device must be configured with only one local account to be used as the account of last resort in the event the authentication server is unavailable.

AC-2 - Medium - CCI-001358 - V-243200 - SV-243200r720055_rule

RMF Control

AC-2

Severity

M

CCI

CCI-001358

Version

WLAN-ND-001300

Vuln IDs

V-243200

Rule IDs

SV-243200r720055_rule

Authentication for administrative (privileged level) access to the device is required at all times. An account can be created on the device's local database for use when the authentication server is down or connectivity between the device and the authentication server is not operable. This account is referred to as the account of last resort since it is intended to be used as a last resort and when immediate administrative access is absolutely necessary. The account of last resort logon credentials must be stored in a sealed envelope and kept in a safe. The safe must be periodically audited to verify the envelope remains sealed. The signature of the auditor and the date of the audit should be added to the envelope as a record. Administrators should secure the credentials and disable the root account (if possible) when not needed for system administration functions.

Checks: C-46475r720053_chk

Review the network device configuration to determine if an authentication server is defined for gaining administrative access. If so, there must be only one account of last resort configured locally for an emergency. Verify the username and password for the local account of last resort is contained in a sealed envelope kept in a safe. If an authentication server is used and more than one local account exists, this is a finding.

Fix: F-46432r720054_fix

Configure the device to allow only one local account of last resort for emergency access and store the credentials in a secure manner.

b

The network device must be configured to enforce the limit of three consecutive invalid logon attempts, after which time it must block any login attempt for 15 minutes.

AC-7 - Medium - CCI-000044 - V-243201 - SV-243201r720058_rule

RMF Control

AC-7

Severity

M

CCI

CCI-000044

Version

WLAN-ND-001400

Vuln IDs

V-243201

Rule IDs

SV-243201r720058_rule

By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced.

Checks: C-46476r720056_chk

Review the configuration and verify the number of unsuccessful SSH logon attempts is set at "3", after which time it must block any login attempt for 15 minutes. If the device is not configured to reset unsuccessful SSH logon attempts at "3" and then block any login attempt for 15 minutes, this is a finding.

Fix: F-46433r720057_fix

Configure the network device to require a maximum number of unsuccessful SSH logon attempts at "3", after which time it must block any login attempt for 15 minutes.

c

The network device must be configured to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services.

CM-7 - High - CCI-000382 - V-243202 - SV-243202r720061_rule

RMF Control

CM-7

Severity

H

CCI

CCI-000382

Version

WLAN-ND-001500

Vuln IDs

V-243202

Rule IDs

SV-243202r720061_rule

To prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable unused or unnecessary physical and logical ports/protocols on information systems. Network devices are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., email and web services); however, doing so increases risk over limiting the services provided by any one component. To support the requirements and principles of least functionality, the network device must support the organizational requirements, providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved. Some network devices have capabilities enabled by default; if these capabilities are not necessary, they must be disabled. If a particular capability is used, it must be documented and approved.

Checks: C-46477r720059_chk

Review the configuration of the network device. Verify all unnecessary and/or nonsecure functions, ports, protocols, and/or services are disabled. If any unnecessary and/or nonsecure functions, ports, protocols, and/or services are not disabled, this is a finding.

Fix: F-46434r720060_fix

Configure the network device to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services.

b

The network device must authenticate Network Time Protocol (NTP) sources using authentication that is cryptographically based.

IA-3 - Medium - CCI-001967 - V-243203 - SV-243203r720064_rule

RMF Control

IA-3

Severity

M

CCI

CCI-001967

Version

WLAN-ND-001600

Vuln IDs

V-243203

Rule IDs

SV-243203r720064_rule

If Network Time Protocol is not authenticated, an attacker can introduce a rogue NTP server. This rogue server can then be used to send incorrect time information to network devices, which will make log timestamps inaccurate and affect scheduled actions. NTP authentication is used to prevent this tampering by authenticating the time source.

Checks: C-46478r720062_chk

Review the network device configuration to determine if the network device authenticates NTP endpoints before establishing a local, remote, or network connection using authentication that is cryptographically based. If the network device does not authenticate Network Time Protocol sources using authentication that is cryptographically based, this is a finding.

Fix: F-46435r720063_fix

Configure the device to authenticate all received NTP messages using a FIPS-approved message authentication code algorithm.

b

The network device must implement replay-resistant authentication mechanisms for network access to privileged accounts.

IA-2 - Medium - CCI-001941 - V-243204 - SV-243204r720067_rule

RMF Control

IA-2

Severity

M

CCI

CCI-001941

Version

WLAN-ND-001700

Vuln IDs

V-243204

Rule IDs

SV-243204r720067_rule

A replay attack may enable an unauthorized user to gain access to the application. Authentication sessions between the authenticator and the application validating the user credentials must not be vulnerable to a replay attack. An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message. Techniques used to address this include protocols using nonces (e.g., numbers generated for a specific one-time use) or challenges (e.g., TLS, WS_Security). Additional techniques include time-synchronous or challenge-response one-time authenticators.

Checks: C-46479r720065_chk

Review the configuration and verify SSH Version 1 is not being used for administrative access. If the device is using an SSHv1 session, this is a finding.

Fix: F-46436r720066_fix

Configure the network device to use SSH Version 2.

b

The network device must be configured with both an ingress and egress ACL.

CM-5 - Medium - CCI-000345 - V-243205 - SV-243205r720070_rule

RMF Control

CM-5

Severity

M

CCI

CCI-000345

Version

WLAN-ND-001800

Vuln IDs

V-243205

Rule IDs

SV-243205r720070_rule

Changes to the hardware or software components of the network device can have significant effects on the overall security of the network. Therefore, only qualified and authorized individuals should be allowed administrative access to the network device for implementing any changes or upgrades. This requirement applies to updates of the application files, configuration, ACLs, and policy filters.

Checks: C-46480r720068_chk

1. Verify the managed interface has an inbound and outbound ACL or filter. 2. Verify the ingress ACL blocks all transit traffic (any traffic not destined to the router itself). In addition, traffic accessing the managed elements should be originated at the NOC. 3. Verify the egress ACL blocks any traffic not originated by the managed element. If the management interface does not have an ingress and egress filter configured and applied, this is a finding.

Fix: F-46437r720069_fix

If the management interface is a routed interface, configure it with both an ingress and egress ACL. The ingress ACL should block any transit traffic, while the egress ACL should block any traffic that was not originated by the managed network device.

b

The network device must be configured to synchronize internal information system clocks using redundant authoritative time sources.

CM-6 - Medium - CCI-000366 - V-243206 - SV-243206r720073_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

WLAN-ND-001900

Vuln IDs

V-243206

Rule IDs

SV-243206r720073_rule

The loss of connectivity to a particular authoritative time source will result in the loss of time synchronization (free-run mode) and increasingly inaccurate time stamps on audit events and other functions. Multiple time sources provide redundancy by including a secondary source. Time synchronization is usually a hierarchy; clients synchronize time to a local source while that source synchronizes its time to a more accurate source. The network device must use an authoritative time server and/or be configured to use redundant authoritative time sources. This requirement is related to the comparison done in CCI-001891. DoD-approved solutions consist of a combination of a primary and secondary time source using a combination or multiple instances of the following: a time server designated for the appropriate DoD network (NIPRNet/SIPRNet); United States Naval Observatory (USNO) time servers; and/or the Global Positioning System (GPS). The secondary time source must be located in a different geographic region than the primary time source.

Checks: C-46481r720071_chk

Review the configuration and verify the network device synchronizes internal information system clocks using redundant authoritative time sources. If the device is not configured to synchronize internal information system clocks using redundant authoritative time sources, this is a finding.

Fix: F-46438r720072_fix

Configure the device to synchronize internal information system clocks using redundant authoritative time sources.

Checks: C-46464r720020_chk

Fix: F-46421r720021_fix

Generate Mitigation Statement:

Checks: C-46465r720023_chk

Fix: F-46422r720024_fix

Generate Mitigation Statement:

Checks: C-46466r720026_chk

Fix: F-46423r720027_fix

Generate Mitigation Statement:

Checks: C-46467r720029_chk

Fix: F-46424r720030_fix

Generate Mitigation Statement:

Checks: C-46468r720032_chk

Fix: F-46425r720033_fix

Generate Mitigation Statement:

Checks: C-46469r720035_chk

Fix: F-46426r720036_fix

Generate Mitigation Statement:

Checks: C-46470r720038_chk

Fix: F-46427r720039_fix

Generate Mitigation Statement:

Checks: C-46471r720041_chk

Fix: F-46428r720042_fix

Generate Mitigation Statement:

Checks: C-46472r720044_chk

Fix: F-46429r720045_fix

Generate Mitigation Statement:

Checks: C-46473r720047_chk

Fix: F-46430r720048_fix

Generate Mitigation Statement:

Checks: C-46474r720050_chk

Fix: F-46431r720051_fix

Generate Mitigation Statement:

Checks: C-46475r720053_chk

Fix: F-46432r720054_fix

Generate Mitigation Statement:

Checks: C-46476r720056_chk

Fix: F-46433r720057_fix

Generate Mitigation Statement:

Checks: C-46477r720059_chk

Fix: F-46434r720060_fix

Generate Mitigation Statement:

Checks: C-46478r720062_chk

Fix: F-46435r720063_fix

Generate Mitigation Statement:

Checks: C-46479r720065_chk

Fix: F-46436r720066_fix

Generate Mitigation Statement:

Checks: C-46480r720068_chk

Fix: F-46437r720069_fix

Generate Mitigation Statement:

Checks: C-46481r720071_chk

Fix: F-46438r720072_fix

Generate Mitigation Statement: