Remote Access Policy STIG V2R10

a

Sites allowing contractors, non-DoD entities, or other DoD organization to remotely connect to the enclave will establish written Memorandum of Agreements (MOAs) with the contractor or other orgranization.

Low - V-14751 - SV-15507r1_rule

RMF Control

Severity

L

CCI

Version

SRC-EPT-015

Vuln IDs

V-14751

Rule IDs

SV-15507r1_rule

To provide the maximum level of security for both the DoD network and the remote corporate enterprise, an MOA is needed that allows administrative oversight and confiscation of compromised equipment. Information Assurance OfficerECSC-1

Checks: C-12973r1_chk

Ensure the site maintains administrative oversight and control privileges of the computers. NOTE: The MOA will contain an agreement that allows the site to maintain administrative oversight and control privileges of the remote end point.

Fix: F-14217r1_fix

Define written agreements for contractors, partners, and other remote users to begin maintaining administrative oversight and control privileges.

b

Ensure the use a vendor-supported version of the remote access server, remote access policy server, NAC appliance, VPN, and/or communications server software.

Medium - V-18535 - SV-20078r1_rule

RMF Control

Severity

M

CCI

Version

SRC-RAP-080

Vuln IDs

V-18535

Rule IDs

SV-20078r1_rule

Unsupported versions will lack security enhancements as well as support provided by the vendors to address vulnerabilities. The system administrator must monitor IAVM, OS, or OEM patch or vulnerability notices for the remote access, VPN, or communications appliance(s). Patches, upgrades, and configuration changes should be tested to the greatest extent possible prior to installation. The vendor may be consulted to determine if the specific device is vulnerable. If the vendor does not recommend installing a patch or upgrade, and has stated that the device is not vulnerable, the administrator will retain this documentation.System AdministratorInformation Assurance OfficerECSC-1, VIVM-1

Checks: C-21324r1_chk

Verify remote access gateway release and maintenance level. Research the vendor's vulnerability list and current version/revision. This can be obtained on the vendor's support page of their website.

Fix: F-19140r1_fix

When the system administator is notified that previously installed versions of the remote access device, the version will be tested and installed as soon as the mission permits. However, previous version with security vulnerabilities must be documented in a Plan of Action and Milestones (POAM).

b

Ensure unused management interfaces, ports, protocols, and services are removed or disabled on devices providing remote access services to remote users.

Medium - V-18536 - SV-20079r1_rule

RMF Control

Severity

M

CCI

Version

SRC-RAP-090

Vuln IDs

V-18536

Rule IDs

SV-20079r1_rule

When services, ports, and protocols are enabled by default or are not regularly used, SAs can neglect to secure or updates them. These services can then become a path for exploitation since they are often well known vulnerabilities to attackers. System AdministratorInformation Assurance OfficerECSC-1

Checks: C-21325r1_chk

Have the SA display the services running on the remote access device or underlying OS. CAVEAT: Anti-virus software running on the OS would be an exception to the above requirement. In fact, it is recommended that anti-virus software be implemented on any gateway, if supported. However, there are currently no specific configuration guidance.

Fix: F-20527r1_fix

The IAO will ensure unused management interfaces, ports, protocols and services are removed or disabled on devices providing remote access services to remote users.

b

Ensure a remote access security policy manager is used to manage the security policy on devices used for remote network connection or remote access.

Medium - V-18590 - SV-20136r1_rule

RMF Control

Severity

M

CCI

Version

SRC-RAP-070

Vuln IDs

V-18590

Rule IDs

SV-20136r1_rule

A centralized policy manager provides a consistent security policy, particularly in environments with multiple remote access devices such as multiple VPNs or RAS devices. This is a best practice for centralized management in networks with multiple remote access gateways or products. Use a single remote access policy server or configure a centralized access server which serves this purpose.Information Assurance OfficerNetwork Security OfficerEBRU-1

Checks: C-22224r1_chk

Review the configuration of the remote access device (RAS/VPN). Verify the remote access policy is the primary means for configuring access control for user access. The centralized remote access policy should apply to all remote access devices so that there is a consistent security policy. Remote access portals and network extension are also handled in this access control policy. NOTE: Portal configuration and network extension configuration is handled in the access control policy.

Fix: F-19223r1_fix

Implement a centralized remote access policy for configuring and controlling access for remote users.

b

The remote access policy will provide separation of traffic based on sensitivity and user trust levels.

Medium - V-18622 - SV-20180r1_rule

RMF Control

Severity

M

CCI

Version

SRC-RAP-060

Vuln IDs

V-18622

Rule IDs

SV-20180r1_rule

Device authentication must be performed at the perimeter or on a subnet separated from the trusted internal enclave. User authentication ensures the user is authorized for access. However, user authentication does not mitigate the risk from an improperly configured client device. Devices must be tested for policy compliance and assigned a trust level based on the results of a thorough integrity check. This approach checks that devices connecting to the network are authenticated and compliant with network policy prior to allowing access to network resources.Information Assurance OfficerECSC-1

Checks: C-22304r1_chk

Have the site representative display the evidence of compliance. This feature must be implemented using a central access policy such as in a gateway or access control appliance. - Government-owned and managed endpoints; - Personally-owned but managed endpoints; - Unmanaged endpoints such as public kiosks or personal computers should limited access to Web-based applications; - Privileged or Administrative access; - Endpoints compliant with DoD required security configurations such as firewalls, antivirus, etc. - Endpoints not compliant with DoD required security configurations such as firewalls, antivirus software, etc.

Fix: F-19251r1_fix

Separate the users by conditions and assigned resources based on required minimum security conditions.

b

If a policy assessment server or service is used as part of an automated access control decision point (to accept non-DoD owned and/or managed remote endpoints to the network), only devices that are both authenticated to the network and compliant with network policies are allowed access.

Medium - V-18680 - SV-20300r1_rule

RMF Control

Severity

M

CCI

Version

SRC-NAC-010

Vuln IDs

V-18680

Rule IDs

SV-20300r1_rule

In this STIG, a managed device is defined as a device that has installed software (i.e. an agent) that allows the device to be managed and queried from a remote server. Thus, an unmanaged device does not have a pre-installed agent which has been obtained from and configured by an approved DoD source. A device is also considerd unmanaged if the authorized agent is not operating properly and cannot communicate with the server. Devices that are both non-GFE and unmanaged cannot be used. To be authenticated to the network, the authentication information must be pre-configured by the site's system administrator and the device and the user must be authorized by the DAA for access to the system. Trusted computing environments require a process for ensuring that users and devices are authenticated and authorized. In certain environments such as a development network, unmanaged devices may be justified by government policy or the mission. Automated policy assessment may be implemented in various ways to increase trust and manage the risk posed by these guest devices. Information Assurance OfficerECSC-1

Checks: C-22462r1_chk

Verify that the device filter setting of the network authentication appliance is configured to force endpoint devices on the untrusted subnetwork to authenticate when attempting to access the network. In an environment where unmanaged devices are allowed remote access, devices on the untrusted side will not be set to bypass authentication. Filter lists may be set to use MAC, IP, or subnet address, and should automatically assign user roles to devices. Filters will not be configured to allow devices to bypass authentication or posture assessment.

Fix: F-19390r1_fix

Ensure the policy assessment device is configured to authenticate the endpoint devices before allowing access unto the trusted network.

a

Ensure remote endpoint policy assessment proceeds only after the endpoint attempting remote access has been identified using an approved method such as 802.1x or EAP tunneled within PPP.

Low - V-18750 - SV-20438r1_rule

RMF Control

Severity

L

CCI

Version

SRC-NAC-020

Vuln IDs

V-18750

Rule IDs

SV-20438r1_rule

Trusted computing shoud require authentication and authorization of both the user's identity and the identity of the computing device. It is possible that an authorized user may be accessing the network remotely from a computer that does not meet DoD standards. This may compromise user information, particularly before or after a VPN tunnel is established.Information Assurance OfficerEBRU-1

Checks: C-22471r1_chk

Verify that access filters are set to perform device authentication before policy assessment is perfomed. Verify that an approved method for device authentication is used (i.e., 802.1x or EAP tunnelled within PPP (for dial-up).

Fix: F-19402r1_fix

The IAO will ensure that the end point attempting remote access are valid before proceeding with security assessment or remediation activities.

a

When automated remediation is used, ensure the remote access solution is configured to notify the remote user before proceeding with remediation of the user's endpoint device.

Low - V-18754 - SV-20442r1_rule

RMF Control

Severity

L

CCI

Version

SRC-NAC-030

Vuln IDs

V-18754

Rule IDs

SV-20442r1_rule

Notification will let the user know that installation is in progress and may take a while. This notice may deter the user from disconnecting and retrying the connection before the remediation is completed. Premature disconnections may increase network demand and frustrate the user. NOTE: This policy does not require remediation but will apply if remediation services are used.Information Assurance OfficerECSC-1

Checks: C-22554r1_chk

This setting may be sent from the assessment server, a central server, or from the remediation server. Verify that the user is notified and accepts (e.g., using an accept button) that remediation is needed and is about to begin.

Fix: F-19503r1_fix

Ensure that the remote access solution is configured to notify the remote user before proceeding with remediation of the user's endpoint device.

a

Ensure devices failing policy assessment that are not automatically remediated either before or during the remote access session, will be flagged for future manual or automated remediation.

Low - V-18833 - SV-20586r1_rule

RMF Control

Severity

L

CCI

Version

SRC-NAC-050

Vuln IDs

V-18833

Rule IDs

SV-20586r1_rule

Devices not compliant with DoD secure configuration policies will not be permitted to use DoD licensed software. The device status will be updated on the network and in the HBSS agent. A reminder will be sent to the user and the SA periodically or at a minimum each time a policy assessment is performed.Information Assurance ManagerECSC-1

Checks: C-22556r1_chk

Verifty compliance by viewing the remote access policy server. Verify the remediation status for these machines and also the HBSS agent on the client is updated . Verify that a reminder is sent to the user and the SA periodically or at a minimum each time a policy assessment is performed.

Fix: F-19505r1_fix

Configure the remote access policy server or other enforcement device. Ensure endpoints that fail the NAC policy assessment that are not automatically remediated are flagged for manual or automated remediation.

a

During security policy assessment, a procedure will exist that when critical security issues are found that put the network at risk, the remote endpoint will be placed immediately on the “blacklist” and the connection will be terminated.

Low - V-18834 - SV-20587r1_rule

RMF Control

Severity

L

CCI

Version

SRC-NAC-070

Vuln IDs

V-18834

Rule IDs

SV-20587r1_rule

Automated and manual procedures for remediation for critical security updates will be managed differently. Continuing to assess and remediate endpoints with risks that could endanger the network could impact network usage for all users.Information Assurance OfficerECSC-1

Checks: C-22569r1_chk

Verify existence of a procedure for blacklisting and terminating when critical security issues are found during a security policy assessment.

Fix: F-19506r1_fix

Ensure during security policy assessment, a procedure exists such that when critical security issues are found that put the network at risk, the remote endpoint will be placed immediatly on the “blacklist” and the connection will be terminated.

b

Configure the devices and servers in the network access control solution (e.g., NAC, assessment server, policy decision point) so they do not communicate with other network devices in the DMZ or subnet except as needed to perform a remote access client assessment or to identify itself.

Medium - V-18835 - SV-20588r1_rule

RMF Control

Severity

M

CCI

Version

SRC-NAC-060

Vuln IDs

V-18835

Rule IDs

SV-20588r1_rule

Since the network access control devices and servers should have no legitimate reason for communicating with other devices outside of the assessment solution, any direct communication with unrelated hosts would be suspect traffic.Information Assurance OfficerECSC-1

Checks: C-22570r1_chk

Verify that the policy assessment device is not allowed to communicate with other hosts in the DMZ that do not perform security policy assement or remediation services.

Fix: F-19507r1_fix

Ensure that the policy assessment appliance or service is not allowed to communicate with unrelated host in the DMZ.

c

A policy assessment must be performed on the NAC device to scan remote endpoints attempting to connect to the organizations network.

High - V-18836 - SV-20589r2_rule

RMF Control

Severity

H

CCI

Version

SRC-NAC-080

Vuln IDs

V-18836

Rule IDs

SV-20589r2_rule

Automated policy assessments must reflect the organization's current security policy so entry control decisions will happen only where remote endpoints meet the organization's security requirements. If the remote endpoints are allowed to connect to the organization's network without passing minimum security controls, they become a threat to the entire network.Information Assurance OfficerECSC-1

Checks: C-22571r2_chk

Review the assessment policies configured on the NAC device to ensure the required checks are included. The required checks are listed below: -Verification that anti-virus software is authorized, running, and virus signatures are up to date. -Host based firewall installed and configured according to the organization's security policy. -Host IDS/IPS is installed, operational, and up to date. -Uses the result of malware, anti-virus, and IDS scans and status as part of the assessment decision process. -Required BIOS, operating system, browser, and office application patch levels. -Performs an assessment of the list of running services. -Test for the presence of DoD required software. -Test for presence of peer-to-peer software (not allowed). If the assessment policy configured on the NAC device does not include all of the required checks above, this is a finding.

Fix: F-19508r2_fix

Configure the assessment policy for the NAC device to scan remote endpoints prior to connection to an organization's network. Required checks for the policy assessment: -Verification that anti-virus software is authorized, running, and virus signatures are up to date. -Host based firewall installed and configured according to the organization's security policy. -Host IDS/IPS is installed, operational, and up to date. -Uses the result of malware, anti-virus, and IDS scans and status as part of the assessment decision process. -Required BIOS, operating system, browser, and office application patch levels. -Performs an assessment of the list of running services. -Test for the presence of DoD required software. -Test for presence of peer-to-peer software (not allowed).

b

Ensure that for unmanaged client endpoints, the system must automatically scan the device once it has connected to the physical network but before giving access to the trusted internal LAN.

Medium - V-18837 - SV-20590r1_rule

RMF Control

Severity

M

CCI

Version

SRC-NAC-090

Vuln IDs

V-18837

Rule IDs

SV-20590r1_rule

Unmanaged devices that are not controlled or configured by DoD should not be used on the network. Contractor and partner equipment must also comply with DoD endpoint configuration requirements and kept updated. Automated assessment will allow these devices to be used safely while minimizing risk to the Enclave. Information Assurance OfficerECSC-1

Checks: C-22572r1_chk

Verify compliance by checking the filter and configuration of the access control service/solution. Note: For unmanaged devices, only devices that have passed the scan will be admitted for full access. Remediation may not be possible since this often requires administrative access and the user should not have this access on his client PC. However, the device must be manually remediation by the owning entity and then re-assessed prior to allowing access.

Fix: F-19509r1_fix

Ensure that for endpoints that are not inspected and controlled by the site, the access control system/solution performs automated assessment.

a

Automated access control solution is validated under the National Information Assurance Partnership (NIAP) Common Criteria as meeting U.S. Government protection requirements.

Low - V-18838 - SV-20591r1_rule

RMF Control

Severity

L

CCI

Version

SRC-NAC-100

Vuln IDs

V-18838

Rule IDs

SV-20591r1_rule

DOD requires that products used for IA be NIAP compliant. Information Assurance OfficerDCAS-1

Checks: C-22573r1_chk

Verify compliance by asking the site personel to provide documentation.

Fix: F-19510r1_fix

Use automated entry control components (e.g., NAC appliance, policy server) that is NIAP compliant.

a

Regardless of the type of endpoint used, the communication between the policy enforcement device (e.g., NAC appliance) and the agent must be protected by encryption (e.g., SSL/TLS over HTTP, EAP-TLS, EAP over PPP).

Low - V-18841 - SV-20594r1_rule

RMF Control

Severity

L

CCI

Version

SRC-NAC-130

Vuln IDs

V-18841

Rule IDs

SV-20594r1_rule

Communications between the remote client and the system which makes the decision to allow or terminate access to the network is privileged traffic. Privileged communication should be separated and/or encrypted.Information Assurance OfficerECSC-1

Checks: C-22598r1_chk

Verify compliance by checking the configuration of the policy assessment server or other component which communicates with the HBSS client on the endpoint devices. Verify that communications are set for encrypted access.

Fix: F-19516r1_fix

Ensure that the communication between the endpoint agent and the policy enforcement device is encrypted.

b

The network access control solution (e.g., NAC appliance, policy server) will provide the capability to implement integrity checking to ensure the client agent itself has not been altered or otherwise compromised.

Medium - V-18842 - SV-20595r1_rule

RMF Control

Severity

M

CCI

Version

SRC-NAC-140

Vuln IDs

V-18842

Rule IDs

SV-20595r1_rule

Remote access devices are often lost or stolen. They represent a threat to the enclave if the agent is compromised as this is the data collection entity in the policy assessment solution. An integrity check allows for detection in case the agent is compromised.Information Assurance OfficerECSC-1

Checks: C-22599r1_chk

Check compliance by interviewing the site representative. Ask if the enforcement system has an integrity checking mechanism. Do not document details of the procedure used.

Fix: F-19517r1_fix

Ensure that a method of integrity checking (e.g., a file or other check). Ensure that the installed endpoint agent .enforcement system has an integrity checking mechanism.

b

Client agents which have been customized with DoD restricted, non-public information or information which may divulge network details (e.g., internal IP ranges or network host names) will not be installed on unmanaged, non-government client endpoints such as kiosks and public computers.

Medium - V-18843 - SV-20596r1_rule

RMF Control

Severity

M

CCI

Version

SRC-NAC-150

Vuln IDs

V-18843

Rule IDs

SV-20596r1_rule

Unmanaged clients such as partner or contractor-owned devices should not contain restricted government informaiton.Information Assurance OfficerECSC-1

Checks: C-22600r1_chk

Interview the site personnel. If unmanaged endpoints are permitted access, ask if the agent is preconfigued with IP address ranges and other government information.

Fix: F-19518r1_fix

Ensure unmanaged endpoints, when allowed, are not preconfigued with agents containing sensitive network access information such as IP address ranges.

b

The policy assessment/enforcement device will be configured to use a separate authentication server (e.g., IAS, Active Directory, RADIUS, TACACS+) to perform user authentication.

Medium - V-18844 - SV-20597r1_rule

RMF Control

Severity

M

CCI

Version

SRC-NAC-160

Vuln IDs

V-18844

Rule IDs

SV-20597r1_rule

The remote user policy assessment/enforcement device will be installed on a separate host from the authentication server. This device interacts directly with public networks and devices and should not contain user authentication information for all users.Information Assurance OfficerECSC-1

Checks: C-22601r1_chk

Review the authentication configuration of the policy assessment/enforcement device. Verify that it is configured to use a separate authentication server to perform user authentication.

Fix: F-19519r1_fix

Ensure the authentication configuration of the policy assessment/enforcement device is configured to use a separate authentication server to perform user authentication.

a

Where automated remediation is used for remote access clients, traffic separation will be implemented and authorized and unauthorized network traffic use separate security domains (e.g., Virtual Local Area Networks (VLANs)).

Low - V-18846 - SV-20599r1_rule

RMF Control

Severity

L

CCI

Version

SRC-NAC-180

Vuln IDs

V-18846

Rule IDs

SV-20599r1_rule

A device can pass authentication by presenting valid credentials. However, in a properly configured automated admission access control solution, the device must also be compliant with security policy. When this technology is used, policy compliance and remediation is performed before the device is allowed unto the trusted network. If the device does not pass the security policy compliance inspection, then it may contain malicious code which may endanger the network. After the device has been authenticated, it can be logically moved into a new VLAN and given access to the trusted network depending on user authorization. NOTE: This policy does not mandate automated remediation.Information Assurance OfficerECSC-1

Checks: C-22603r1_chk

Verify that remediation server is configured as follows: – Will be separated from the policy assessment server on a separate subnet; – Will be separated from the internal protected enclave by a separate subnet; – The subnet configuration will comply with the requirement of the Network Infrastructure STIG; – Will incorporate and leverage use of DoD remediation tools when available; and – Will comply with the requirements of the applicable operating system STIG.

Fix: F-19521r1_fix

Ensure remediation server is configured as requrired, at a minimum.

b

If the device requesting remote network access fails the network policy assessment tests, then the policy server will communicate with the remote access device (e.g., VPN gateway or RAS) to perform an approved action based on the requirements of this policy.

Medium - V-18847 - SV-20600r1_rule

RMF Control

Severity

M

CCI

Version

SRC-NAC-190

Vuln IDs

V-18847

Rule IDs

SV-20600r1_rule

If a device fails the sites approved security policy assessment test, then it may contain compromised data. Using a VLAN to keep trusted and untrusted traffic safe his kept separated while the failure is either redirected for remediation or the communication terminated.Information Assurance OfficerECSC-1

Checks: C-22604r1_chk

Review the configuration of the device. Verify filters for the policy assessment device are set to take one of the approved action choices upon failure. Site is compliant if one of the following actions is perfomed in accordance with site policy. – Terminate the connection and place the device a “blacklist” to prevent future connection attempts until action is taken to remove the device from the blacklist; – Redirect traffic from the remote endpoint to the automated remediation subnet for connection to the remediation server; – Allow the device access to limited network services such as public web servers in the protected DMZ (must be approved by the DAA); – Allow the device and user full entry into the protected enclave but flag it for future remediation. With this option an automated reminder should be used to inform the user of the remediation status.

Fix: F-19522r1_fix

Ensure filters for the policy assessment device are set to take one of the approved action choices upon failure.

c

The DAA will approve all remote access connections that bypass the policy enforcment/assessment solution.

High - V-18851 - SV-20616r1_rule

RMF Control

Severity

H

CCI

Version

SRC-NAC-200

Vuln IDs

V-18851

Rule IDs

SV-20616r1_rule

Remote access connections that bypass established security controls should be only in cases of administrative need. These procedures and use cases must be approved by the DAA.Information Assurance OfficerECSC-1

Checks: C-22631r1_chk

Verify that if the bypass procedure has been DAA approved by checking the documentation.

Fix: F-19545r1_fix

Document approval by the DAA for all access control bypass procedures.

b

For networks which do not allow unmanaged devices, remote endpoints that fail the device authentication check will not proceed with the policy assessment checks (authorization checks) and remote access will be denied.

Medium - V-18852 - SV-20617r1_rule

RMF Control

Severity

M

CCI

Version

SRC-NAC-210

Vuln IDs

V-18852

Rule IDs

SV-20617r1_rule

Devices that fail authentication are not permitted on the network. These devices may contain malware or content which is harmful to the enclave.Information Assurance OfficerECSC-1

Checks: C-22632r1_chk

Verify by examining the configuration of the policy assessment or enforcement server (e.g., NAC appliance). Examine the actions taken when the endpoint fails authentication comply with the requirement.

Fix: F-20528r1_fix

Where unmanaged devices are not allowed access, the IAO will ensure that remote endpoints that fail the device authentication the remote access request will be terminated.

b

Endpoints accessing the remediation server will not have access to other network resources that are not part of the remediation process.

Medium - V-18853 - SV-20618r1_rule

RMF Control

Severity

M

CCI

Version

SRC-NAC-220

Vuln IDs

V-18853

Rule IDs

SV-20618r1_rule

This type of access could permit an unauthorized endpoint onto the network. Depending on the critical nature of the authorization failure (e.g., virus detected) this type of access could place the enclave at risk.Information Assurance OfficerECSC-1

Checks: C-22634r1_chk

Verify compliance by interviewing the NSO. The configuration of the policy enforcement device should also be examined. There are several ways to achieve compliance. In each case, the endpoint should not receive an IP address that can be used on the trusted side of the network. A DMZ, VLAN, or direct host-host communications may be used.

Fix: F-19547r1_fix

Ensure that endpoints accessing the remediation server will not have access to other network resources that are not part of the remediation process.

b

After remediation, unmanaged (non-DoD owned or controlled) endpoints will not be given access to network resources, but will be forced to reapply via the network policy assessment server and be reassessed for compliance.

Medium - V-18854 - SV-20620r1_rule

RMF Control

Severity

M

CCI

Version

SRC-NAC-230

Vuln IDs

V-18854

Rule IDs

SV-20620r1_rule

After initial remediation, unmanaged devices should be tested again prior to authorization and admittance. This will mitigate the risk that the remediation did not completely eliminate the cause of the initial assessment failure.Information Assurance OfficerECSC-1

Checks: C-22635r1_chk

Verify configuration of the enforcement server/solution. Check to see if unmanaged devices are set to be reassessed once remediation actions are completed.

Fix: F-19549r1_fix

Ensure that unmanaged devices are set to be reassessed once remediation actions are completed.

c

Remote access to perform privileged or network management tasks must employ endpoint devices that are controlled (documented), managed (e.g., use a transient NAC agent), and kept updated and compliant with applicable DoD security policies.

High - V-18855 - SV-20626r2_rule

RMF Control

Severity

H

CCI

Version

SRC-EPT-010

Vuln IDs

V-18855

Rule IDs

SV-20626r2_rule

If endpoint devices used to access restricted networks and systems are not compliant with security policies and able to pass policy assessment then privileged information and systems may be at immediate risk. Devices are government owned (GFE), contractor owned, or personally owned. Devices are categorized as government owned (GFE), contractor owned, or personally owned. A personally-owned device is not managed, owned, or leased by the government. Personally owned devices do not meet DoD security standards for privileged access. This type of access from an untrusted device puts the network at immediate risk since these devices may have ensured confidentiality and integrity requirements. These devices may be managed devices. However, even when subjected to policy assessment, personally owned devices are not allowed for processing classified or for remote access to privileged data or functions. The intention is to allow approved and limited usage (e.g., for email). However, note that a policy assessment solution must be in place for all unmanaged devices to enter trusted zones. Contractor owned endpoints are provided in compliance with a government contract to perform management services. These endpoints must be STIG compliant using the OS STIG and other applicable STIGs and must follow DoD requirements for remaining compliant. The configuration and connection method for privileged access must also comply with government confidentiality and integrity requirements. Thus, the configuration of devices must be approved by the government as STIG compliant and kept up to date. Remote access for these devices must meet network access control and automated policy assessment requirements.Information Assurance OfficerECSC-1

Checks: C-22661r4_chk

Interview the network administrator or site representatives. Verify if system administrators are informed of the requirement to use only authorized endpoint devices when remotely accessing DoD networks and systems for configuration, management, or restricted access. Verify there is a configuration management process that ensures STIG compliance. For contractor owned equipment, verify systems used are documented and approved by a government representative.

Fix: F-19560r2_fix

Train individuals authorized to perform configuration, management, and other privileged tasks using remote access to use only government-owned or authorized devices. Establish a STIG compliance process. For contractor owned endpoints, obtain approval/authorization for configuration, access method, and compliance process from government representative. Configure systems for policy assessment (e.g., NAC) upon access if contractor devices are used.

a

Develop a user agreement to be signed by all remote users prior to obtaining access. This agreement may be integrated with the site's remote access usage training.

Low - V-19139 - SV-20952r1_rule

RMF Control

Severity

L

CCI

Version

SRC-EPT-040

Vuln IDs

V-19139

Rule IDs

SV-20952r1_rule

Lack of user training and understanding of responsibilities to safeguard wireless technology are a significant vulnerability to the enclave. Once policies are established, users must be trained to meet these requirements or the risk to the network remains. User agreements are particularly important for mobile and remote users since there is a high risk of loss, theft, or compromise, thus, this signed agreement is a good best practice to help ensure the site is confirming the user is aware of the risks and proper procedures. Information Assurance OfficerPRTN-1

Checks: C-22759r1_chk

Inspect a copy of the site’s user agreement. Verify the user agreement is signed by the remote users and has the minimum elements as follows: - The agreement will contain the type of access required by the user (i.e., privileged, end-user, remote access, wireless access, mobile access). - The agreement will contain the responsibilities, liabilities, and security measures (e.g., malicious code detection training) involved in the use of the remote access device. - Incident handling and reporting procedures are identified along with a designated point of contact. - The policy will contain general security requirements and practices and will be signed by the remote user. - If classified devices are used for remote access from an alternative work site, the remote user will adhere to DoD policy with regard to facility clearances, protection, storage, distributing, etc. - Government-owned hardware and software is used for official duty only. The employee is the only individual authorized to use this equipment. If site user agreements do not exist or are not compliant with the minimum requirements, this is a finding.

Fix: F-19690r1_fix

Develop documentation as required.

b

Ensure remote endpoints that are owned, controlled, and/or managed by DoD for processing or accessing DoD sensitive, non-public assets and comply the requirements.

Medium - V-19140 - SV-20953r1_rule

RMF Control

Severity

M

CCI

Version

SRC-EPT-050

Vuln IDs

V-19140

Rule IDs

SV-20953r1_rule

Unmanaged endpoints must be configured according to the organization's security policy and standards before these devices can be allowed access to even the most non-sensitive areas of the network such as the DMZ. Unmanaged endpoints will never be allowed to traverse or access to the protected inner enclave regardless of configuration.Information Assurance OfficerECSC-1

Checks: C-22760r1_chk

Inspect a copy of the site’s remote user agreement and Service Level Agreements. Verify one of these documents include the requirements as follows: – Are approved by the DAA; – Use devices that are capable of complying with applicable STIG requirements to the greatest extent possible (i.e., comply with all CAT 1 requirements applicable to the OS and other technology used); 1. The owner signs forfeiture agreement in case of a security incident; 2. The security policy on the device is actively scanned prior to allowing access to the DoD Enclave by the IAO; and 3. Full access to the DoD internal protected enclave is not permitted. Access will be restricted to a limited access subnet.

Fix: F-19691r1_fix

If unmanaged endpoints are used, ensure required documentation and agreements are completed in compliance with this requirement

a

Develop a computer security checklist to be completed and signed by the remote user. This checklist will inform and remind the user of the potential security risks inherent with remote access methods.

Low - V-19142 - SV-20955r1_rule

RMF Control

Severity

L

CCI

Version

SRC-EPT-060

Vuln IDs

V-19142

Rule IDs

SV-20955r1_rule

Lack of user training and understanding of responsibilities to safeguard the network are a significant vulnerability to the enclave. Once policies are established, users must be trained to these requirements or the risk to the network remains.Information Assurance OfficerECSC-1

Checks: C-22762r1_chk

Inspect a copy of the site’s security checklist, if available. This checklist may be incorporated into the user agreement or the user training. The checklist is different from the user agreement in that it incorporates all of the user's security responsibilities concerning remote computing and network security in general. Verify that documentation exists to show that users are required to read and sign this checklist or training material.

Fix: F-19693r1_fix

Ensure a checklist or detailed user training is used to inform the users of their security responsibilities.

a

Remote user agreement will contain a Standard Mandatory Notice and Consent Provision.

Low - V-19143 - SV-20956r1_rule

RMF Control

Severity

L

CCI

Version

SRC-EPT-070

Vuln IDs

V-19143

Rule IDs

SV-20956r1_rule

Lack of user training as evidenced by signed documentation may indicate the users lack understanding of their responsibilities to safeguard the network and be a significant vulnerability to the enclave.Information Assurance OfficerECSC-1

Checks: C-22763r1_chk

Inspect a copy of the site’s user agreement. Verify user agreement has the current consent provision exactly as written by DoD for legal purposes.

Fix: F-19694r1_fix

Ensure remote user agreement contains a Standard Mandatory Notice and Consent Provision.

a

Train users not to connect remote clients which process sensitive information directly into the broadband modem.

Low - V-19144 - SV-20957r1_rule

RMF Control

Severity

L

CCI

Version

SRC-EPT-110

Vuln IDs

V-19144

Rule IDs

SV-20957r1_rule

If a telework devices connect directly to the teleworker’s ISP, such as plugging the device directly into a cable modem, then the device is directly accessible from the Internet and at high risk of being attacked. To prevent this from occurring, the home network should have a security device between the ISP and the telework device. This is most commonly accomplished by using a broadband router (e.g., cable modem router, DSL router) or a firewall appliance.Information Assurance OfficerECSC-1

Checks: C-22764r1_chk

Inspect the user training material or the remote user checklist. Verify that the users are trained not to plug the DoD endpoint directly into the broadband modem. Users must be given assistace (e.g., checklist) on how to configure and and properly connect GFE into a properly configured broadband router or firewall appliance.

Fix: F-19695r1_fix

Ensure the user is trained not to plug the connect directly to the broadband modem but rather to use a correctly configured security gateway.

a

Users who telework regularly are informed of the requirement to configure home networking router or firewall appliances to implement NAT.

Low - V-19145 - SV-20958r1_rule

RMF Control

Severity

L

CCI

Version

SRC-EPT-140

Vuln IDs

V-19145

Rule IDs

SV-20958r1_rule

Configuring NAT on the network security gateway or firewall will help prevent hosts on the Internet from accessing the DOD teleworker computer directly.Information Assurance OfficerECSC-1

Checks: C-22765r1_chk

Review the user agreement or security checklist. Verify that it contains the instruction to configure home networking router or firewall appliances to implement NAT.

Fix: F-19696r1_fix

Update the remote user security checklist to include a check for the teleworker to configure the home networking router or firewall appliances to implement NAT.

a

Train users to configure the home networking router or firewall appliance to protect devices on the home network from each other (isolate), the devices are logically separated by the appliance or router (on a different logical segment of the network).

Low - V-19146 - SV-20959r1_rule

RMF Control

Severity

L

CCI

Version

SRC-EPT-130

Vuln IDs

V-19146

Rule IDs

SV-20959r1_rule

If a personal firewall on a computer malfunctioned, the appliance or router would still protect the computer from unauthorized network communications from external computers. In some cases, the appliance or router also can protect devices on the home network from each other—if the devices are logically separated by the appliance or router.Information Assurance OfficerECSC-1

Checks: C-22780r1_chk

Review user agreement or security checklist. Ensure users have been informed that their home network be configured to use the router or firewall to isolate the DoD endpoint from the other devices on the home network.

Fix: F-19697r1_fix

Update the remote access security checklist, the user agreement, or other training materials to show that users are trained to comply with the approved teleworker home network architecture.

a

Provide teleworkers training on best practices for operating a secure network.

Low - V-19147 - SV-20960r1_rule

RMF Control

Severity

L

CCI

Version

SRC-EPT-120

Vuln IDs

V-19147

Rule IDs

SV-20960r1_rule

Changing the default passwords on the devices helps protect against attackers using these LANs to gain access to the device. List of manufacturer default passwords are widely available on the Internet.Information Assurance OfficerECSC-1

Checks: C-22781r1_chk

Review the security checklist or user agreement. Verify that users have received information on the following best practices. – Changing device password on home network level devices such as routers and firewalls. - Configuring the device so that it cannot be administered from outside the home network, preventing external attackers from taking control of the device. – Configuring the device to silently ignore unsolicited requests sent to it, which essentially hides the device from malicious parties. – Checking for updates and applying them periodically, as explained in the vendor’s documentation—either automatically (typically daily or weekly) or manually (to be performed by the teleworker at least monthly) . – For broadband routers, turning off or disabling built-in wireless access points (AP) that are not being used. – The proper precautionary measures for a firewall appliance or broadband router vary.

Fix: F-19698r1_fix

Train users as required.

a

When connected to a non-DoD owned network, remote users are trained to either disable the wireless radio or disconnect the network cable when communication is no longer needed or the VPN is disconnected.

Low - V-19148 - SV-20961r1_rule

RMF Control

Severity

L

CCI

Version

SRC-EPT-100

Vuln IDs

V-19148

Rule IDs

SV-20961r1_rule

Endpoints that are directly connected to public networks are vulnerable to various forms of attack the longer they remain connected. A properly configured VPN adds defense in depth protection. NOTE: Users who are trained and provide documentation (screen-prints) showing compliance with the telework isolation policy are compliant with the requirement. Information Assurance OfficerECSC-1

Checks: C-22782r1_chk

Verify by inspecting the training material or security checklist. An automated method where the NIC is disabled may be implemented.

Fix: F-19699r1_fix

Implement automated controls or train users to physically disconnect or disable NICs when no longer connected to the secure VPN.

b

When connected via the public Internet, users will be trained to immediately establish a connection to the DoD network via the VPN client.

Medium - V-19149 - SV-20962r1_rule

RMF Control

Severity

M

CCI

Version

SRC-EPT-090

Vuln IDs

V-19149

Rule IDs

SV-20962r1_rule

The DoD architechure is extensive and is designed to protect the enclave and it's endpoints. When a remote user accesses the internet directly, this infrastucture is not leveraged. All connections for Government official business to the Internet via the hotel wireless network will be through the DoD VPN connection only. This requirement should be automatically enforced by an enforcement agent or other technical means on the endpoint.Information Assurance OfficerECSC-1

Checks: C-22784r1_chk

Review the user training or security checklist to verify that users are trained on this requirement. If this is automatically enforced, have the IAO demonstrate this feature.

Fix: F-19700r1_fix

Update the user training or security checklist.

b

Remote/telework endpoints not capable (e.g., lacks enough memory or resources) of meeting the compliance requirements for anti-virus, firewall, and web browser configuration will not be permitted access to the DoD network.

Medium - V-19150 - SV-20963r1_rule

RMF Control

Severity

M

CCI

Version

SRC-EPT-080

Vuln IDs

V-19150

Rule IDs

SV-20963r1_rule

If the client is incapable of employing critical security protections then allowing access to that devices could expose the network to potentially significant risk.Information Assurance OfficerECSC-1

Checks: C-22785r1_chk

Interview the IAO. Ask if devices are permitted either through Service Level Agreements or DoD-owned which do not have anti-virus, firewall, or cannot be configured to meet DoD requirements. If such devices are permitted, this is a finding.

Fix: F-19701r1_fix

Ensure the DAA and system administrator have a policy that devices must contain anti-virus and firewall software which are compliant with DoD requirements of the Desktop STIG.

c

Ensure an NSA certified remote access security solution (e.g., HARA) is used for remote access to a classified network and will only be used from an approved location.

High - V-19151 - SV-20964r1_rule

RMF Control

Severity

H

CCI

Version

SRC-EPT-030

Vuln IDs

V-19151

Rule IDs

SV-20964r1_rule

Use of improperly configured or lower assurance equipment and solutions could compromise high value information.Information Assurance OfficerECSC-1

Checks: C-22786r1_chk

Verify use of NSA certified equipment and architecture by asking the site representative to demonstrate the products and encryption used. Verify compliance with the following requirements: – The solution is used in accordance with all NSA and DOD policy and guidelines. – The solution will use a High Assurance (Type 1) Link Encryptor to provide high assurance link protection (confidentiality, integrity, and authentication), using NSA-certified cryptographic components, between the remote user and DOD enclaves or other computing environments. A High Assurance (Type 1) Media Encryptor to provide high assurance protection (confidentiality and integrity), using NSA-certified cryptographic components, to a remote user’s hard-drive and removable media. – The NSA Type 1 link encryption device is kept in the user’s possession at all times or stored in accordance with policy applicable to classified storage. – The NSA Type 1 link encryption device is stored separately from the computer when not in use.

Fix: F-19702r1_fix

Ensure use of compliant architechture and equipment.

b

Endpoints accessing the classified network will be Government owned/leased equipment and protected to the classification level of the data that the device is able to access.

Medium - V-19152 - SV-20965r1_rule

RMF Control

Severity

M

CCI

Version

SRC-EPT-020

Vuln IDs

V-19152

Rule IDs

SV-20965r1_rule

Equipment owned or controlled by non-DoD entities may contain malware or other vulnerabilities which may present a danger to the network.Information Assurance OfficerECSC-1

Checks: C-22787r1_chk

Interview the IAO. Ask if remote access equipment, endpoints, and communications equipment is government owned.

Fix: F-19703r1_fix

Ensure all equipment used for remote access solutions which process classified information is government owned and managed.

a

Ensure that prior to purchasing a TLS VPN, the system has the capability to require RSA key establishment.

Low - V-19381 - SV-21298r1_rule

RMF Control

Severity

L

CCI

Version

SRC-VPN-050

Vuln IDs

V-19381

Rule IDs

SV-21298r1_rule

NOTE: TLS 1.0 and later uses the ephemeral Diffie-Hellman key establishment method, but this does not meet the requirements of NIST SP 800-56A. NIST has granted a waiver from this requirement for systems using SSL until the end of 2010 and this may be extended indefinitely. However, the current requirement for SSL key establishment now and beyond 2010 is the RSA method.Information Assurance ManagerECSC-1

Checks: C-23373r1_chk

Ask the site representative for documentation or verify by inspecting the TLS configuration application. NOTE: The systems may use the NIST-preferred method of ephemeral Diffie-Helman, but new systems will have the capability to use RSA.

Fix: F-19953r1_fix

Ensure newly purchased systems have the capability to perform RSA key establishment.

a

Ensure that devices to be used in FIPS-compliant applications will use FIPS-compliant functions and procedures.

Low - V-19382 - SV-21299r1_rule

RMF Control

Severity

L

CCI

Version

SRC-VPN-060

Vuln IDs

V-19382

Rule IDs

SV-21299r1_rule

It is not enough to enable FIPS encryption. To gain the full security implied by the FIPS standard, the functions and procedures required by the FIPS 140-2 documents must also be implemented.Information Assurance OfficerECSC-1

Checks: C-23374r1_chk

Interview site representative or inspect the VPN encryption configuration on the TLS VPN appliance or server. NOTE: Prior to purchasing a TLS VPN, the site will verify the system has the capability to require HMAC-SHA-1. However, use of devices using SHA-1 hash functions is acceptable.

Fix: F-19954r1_fix

Whe purchasing an TLS VPN, ensure the system has the capability to require HMAC-SHA-1.

a

Ensure that when TLS VPN is used, endpoints that fail “required” critical endpoint security checks will receive either no access or only limited access.

Low - V-19383 - SV-21300r1_rule

RMF Control

Severity

L

CCI

Version

SRC-VPN-070

Vuln IDs

V-19383

Rule IDs

SV-21300r1_rule

Remote endpoint devices requesting TLS portal access will either be disconnected or given limited access as designated by the DAA and system owner if the device fails the authentication or security assessment. Information Assurance OfficerECSC-1

Checks: C-23375r1_chk

Verification will depend on the method used by the site to automate this functionality. Verify that end point failing to pass minimum and requried security configuration checks are not given full access to DoD non-public information with DAA approval. NOTE: The user will be presented with a limited portal which does not include access options for sensitive resources. (Required security checks will be identified and approved by the DAA or designated representative).

Fix: F-19955r1_fix

Ensure end point failing to pass minimum and required security configuration checks are not given full access to DoD non-public information with DAA approval.

c

Ensure the classified or sensitive information is transmitted over approved communications systems or non-DoD systems, and an NSA Type 1 certified remote access security solution is in place for remote access to a classified network and is only used from an approved location.

High - V-19830 - SV-21993r1_rule

RMF Control

Severity

H

CCI

Version

SRC-RAP-030

Vuln IDs

V-19830

Rule IDs

SV-21993r1_rule

Failure to use approved communications equipment and security measure can lead to unauthorized disclosure, loss, or compromise of classified information. Information Assurance ManagerECSC-1

Checks: C-21322r1_chk

Interview the IAO. Ask if users are allowed to process classified information from remote locations. Work with the traditional reviewers to determine if there is a classified handling/transmitting policy in place for remote access. Also, ask if classified information is tunnelled using communications channels which are not secured to the level of classification transmitted without complying with the DSAWG Position Paper requirements as follows: - C2: The policy is to minimize tunneling classified information over transport other than SIPRNet. The SIPRNet will be the network of choice for C2 traffic. - Classified C2, or related requirements, across the NIPRNet are specifically denied except to meet operationally urgent conditions as defined and approved by the DSAWG and the DISN DAAs. - Non-C2: The Local DAA may approve tunneling classified information across an unclassified IP infrastructure if deemed operationally necessary. This must be documented and approved by the Classified Connection Approval Office (CCAO) and the Classified Data Service Manager (DISA/GS21). Supported rationale will be presented to the CDSM. - Type 1 encryption will be employed. - Must be documented in the DIACAP Implementation Plan (DIP) - Termination of the tunnel will be in facilities authorized to process classified US Government information classified at the Secret level. For the use of an ISP, a GIG Waiver must be issued by the OSD GIG Waiver Panel. SCI will not be tunneled. This does not alter or supersede any other DoD or DCI guidance or policy. **This check applies to Enhanced Compliance Validation visits.

Fix: F-19138r1_fix

The IAO will ensure classified information is not transmitted over any communications system unless it is transmitted using approved NSA security devices in addition to approved security procedures and practices.

a

Ensure the required accreditation documentation (e.g. DIP) is kept updated.

Low - V-19831 - SV-21994r1_rule

RMF Control

Severity

L

CCI

Version

SRC-RAP-010

Vuln IDs

V-19831

Rule IDs

SV-21994r1_rule

The most critical part of a remote access solution is to create a centralized point of access and authentication close to the network edge. This device manages access to network resources on the internal LAN. DoD requires that all information technology devices attached to the network be documented in the DIP.Information Assurance OfficerECSC-1

Checks: C-23361r1_chk

The system owner will identify security domain requirements in the DIACAP documentation. Each DIP must include a description of the sites architecture with the remote access equipment shown on the drawing. Verify that these documents will reflect the installation or modification of network communications devices used for network access devices that provide remote access services (e.g., appliances or servers such as RAS, VPN, remote security assessment, or policy appliances).

Fix: F-19143r1_fix

Verify DIACAP equipment list reflects changes made to the site’s remote access network devices.

b

Ensure the traffic for remote access network devices (e.g., RAS, NAC, VPN) is inspected by the network firewall and IDS/IPS using an approved architecture.

Medium - V-19832 - SV-21995r1_rule

RMF Control

Severity

M

CCI

Version

SRC-RAP-020

Vuln IDs

V-19832

Rule IDs

SV-21995r1_rule

The incorrect placement of the external NIDS may allow unauthorized access to go undetected and limit the ability of security personnel to stop malicious or unauthorized use of the network. Use of the existing network inspection architecture will ensure remote communications are subject to the same rigorous standards as other network traffic and lower the risk of misconfiguration presented by multiple traffic inspection systems.Information Assurance OfficerECSC-1

Checks: C-25055r1_chk

Ensure remote access device traffic is configured using an approved architecture. All ingress traffic will be directed for inspected by the firewall and Network IDS/IPS. Because this traffic is required to be in an encrypted tunnel, the site may implement one of two approved architectures. 1. Terminate the tunnel at the external NIDS located between the site’s Approved Gateway (Service Delivery Router) and the premise router; or 2. Terminate at the remote access gateway and route the traffic to the IDS/IPS for inspection prior to forwarding into the protected LAN.

Fix: F-19139r1_fix

Architecture must use one of the approved options for ensuring that remote access ingress traffic will pass through and be inspected by the firewall and Network IDS/IPS.

b

Ensure the remote access server (RAS) is located in a dual homed screened subnet.

Medium - V-19833 - SV-21996r1_rule

RMF Control

Severity

M

CCI

Version

SRC-RAP-040

Vuln IDs

V-19833

Rule IDs

SV-21996r1_rule

Without a screened subnet architecture traffic that would be normally destined for the DMZ would have to be redirected to the site's internal network. This would allow for a greater opportunity for hackers to exploit. NOTE: This check does not apply to the remote access VPN gateway. If an integrated RAS/VPN gateway is used where dial-up services are provided, then this check also applies. The DMZ architecture and placement will comply with the requirements of the applicable Network Infrastructure STIG.Information Assurance OfficerECSC-1

Checks: C-25056r1_chk

Review network architecture with the network administrator. Verify compliance by inspecting the site network topology diagrams and the firewall interface configurations. Since many network diagrams are not kept up-to-date, walk through the connections with the network administrator to verify the diagrams are current. If the network device does not use an approved network isolation method (e.g., DMZ), this is a finding.

Fix: F-20516r1_fix

Use the network diagram in the Network Infrastructure STIG for guidance for placement of RAS server in the appropriated DMZ subnets.

c

Ensure remote access for privileged tasks such as network devices, host, or application administration is compliant.

High - V-19834 - SV-21997r1_rule

RMF Control

Severity

H

CCI

Version

SRC-RAP-050

Vuln IDs

V-19834

Rule IDs

SV-21997r1_rule

If remote access is used to connect to a network or host for privileged access, stringent security controls will be implemented. AAA network security services provide the primary framework through which a network administrator can set up access control and authorization on network points of entry or network access servers It is not advisable to configure access control on the VPN gateway or remote access server. Separation of services provides added assurance to the network if the access control server is compromised.Information Assurance ManagerECSC-1

Checks: C-22223r1_chk

View the configuration of the the RAS and/or remote VPN gateway. Verify that a AAA (authentication) server is required for privileged access to the remote access device by reviewing the authentication screen. Verify that the configuration requires the following: 1. Multi-factor authentication (e.g., PKI, SecureID, or DoD Alternate Token) using a AAA server; 2. Identification and personal authentication uses individually assigned accounts rather than group or shared accounts or authenticators; and 3. . Encryption using FIPS 140-2 compliant algorithms and encryption modules - (e.g., AES). Also verify that a network review has been performed using the Network Infrastructure STIG and the architecture complies with the In- and Out-of-band requirements of the appropriate Network Infrastructure STIG.

Fix: F-20517r1_fix

The remote access administrator will configure the remote access or VPN server to use the TACACS+, Radius or Diameter server for administrative access.

b

Do not process, store, or transmit DoD information on public computers (e.g., those available for use by the general public in kiosks or hotel business centers) or computers that do not have access controls.

Medium - V-21799 - SV-24380r1_rule

RMF Control

Severity

M

CCI

Version

SRC-EPT-055

Vuln IDs

V-21799

Rule IDs

SV-24380r1_rule

There may be hardware or keyboard capture software which could monitor computer usage and keystrokes. Also, these computers may contain virus' and other malicious code which may infect DoD systems being accessed. This policy is in accordance with Directive-Type Memorandum (DTM) 08-027, 31 July 2009, Security of Unclassified DoD Information on Non-DoD Information Systems. Information Assurance OfficerECSC-1

Checks: C-26068r1_chk

Verify the users are trained not to use public computers or kiosks to process government sensitive information. This may be placed in the User Agreement or the site's training materials.

Fix: F-22583r1_fix

Ensure users do not use public computers and kiosks to process, store, or transmit sensitive information without approal of the data owner.

a

Where non-DoD information systems are used for processing unclassified emails for the teleworker whose normal duty location in the mobile or telework location (s), the user will have the ability to send and receive digitally encrypted and signed email.

Low - V-21800 - SV-24381r1_rule

RMF Control

Severity

L

CCI

Version

SRC-EPT-056

Vuln IDs

V-21800

Rule IDs

SV-24381r1_rule

DoD Instruction 8510.01, “DoD Information Assurance Certification and Accreditation Process (DIACAP). Users need this capability to read and send digitally signed email and to ensure non-repudiation.Information Assurance OfficerECSC-1

Checks: C-26069r1_chk

interview the SA and ask if PKI is implemented on the endpoint's computer and configured for use by the email program..

Fix: F-22584r1_fix

Ensure the email solution on the remote access device has the ability to digitally sign messages.

a

Users must receive training on required topics before they are authorized to access a DoD network via a wireless remote access device.

Low - V-25034 - SV-30836r6_rule

RMF Control

Severity

L

CCI

Version

WIR-WRA-001

Vuln IDs

V-25034

Rule IDs

SV-30836r6_rule

Improper use of wireless remote access to a DoD network can compromise both the wireless client and the network, as well as, expose DoD data to unauthorized people. Without adequate training remote access users are more likely to engage in behaviors that make DoD networks and information more vulnerable to security exploits.System AdministratorPRTN-1

Checks: C-31258r9_chk

Detailed Policy Requirements: The ISSO and the site wireless device administrator must ensure all wireless remote access users receive training on the following topics before they are authorized to access a DoD network via a wireless remote access device: - Maintaining physical control of the device. - Reducing exposure of sensitive data. - User authentication and content encryption requirements. - Enabling wireless interfaces only when needed. - Enable VPN connection to the DoD network immediately after establishing a wireless connection (using an approved VPN client). - All Internet browsing will be done via the VPN connection to the DoD network. - No split tunneling of VPN. - Locations where wireless remote access is authorized or not authorized (i.e., home, airport, hotel, etc.). - Wireless client configuration requirements. - Use of WPA2 Personal (AES) on home WLAN. - Home WLAN password and SSID requirements - Discontinue the use of devices suspected of being tampered with and notify the site ISSO. Check Procedures: Review site wireless device and/or IA awareness training material to verify it contains the required content. Note: Some training content may be listed in the User Agreement signed by the user. Verify site training records show authorized wireless remote access users received required training and training occurred before the users were issued a device. Check training records for approximately five users, picked at random. If wireless remote access users have not received required training, this is a finding.

Fix: F-27724r2_fix

Complete required training.

a

The site must have a Wireless Remote Access Policy signed by the site AO, Commander, Director, or other appropriate authority.

Low - V-25035 - SV-30837r6_rule

RMF Control

Severity

L

CCI

Version

WIR-WRA-002

Vuln IDs

V-25035

Rule IDs

SV-30837r6_rule

Wireless clients, DoD data, and the DoD network could be compromised if operational policies for the use of wireless remote access are not documented by the site.System AdministratorECWN-1

Checks: C-31259r7_chk

Detailed Policy Requirements: A site's Remote Access Policy will be written and signed by the site AO, Commander, Director, or other appropriate manager. Recommend the policy includes required security controls for the DoD-owned/operated wireless client (PDA, smartphone, or tablet): - Device unlock password requirements. - Client software patches kept up to date - Internet browsing through enterprise Internet gateway. - Device security policy managed by centrally-managed policy manager. - Procedures after client is lost, stolen, or other security incident occurs. - Configuration requirements of wireless client - Home WLAN authentication requirements. - Home WLAN SSID requirements. - Separate WLAN access point required for home WLAN. - 8+-character authentication password required for home WLAN. - Use of third-party Internet portals (kiosks) (approved or not approved). - Use of personally-owned or contractor-owned client devices (approved or not approved). - Implementation of health check of client device before connection is allowed. - Places where remote access is approved (home, hotels, airport, etc.). - Roles and responsibilities: --Which users or groups of users are and are not authorized to use organization's WLANs? --Which parties are authorized and responsible for installing and configuring APs and other WLAN equipment? - WLAN infrastructure security: --Physical security requirements for WLANs and WLAN devices, including limitations on the service areas of WLANs. --Types of information that may and may not be sent over WLANs, including acceptable use guidelines. - WLAN client device security: --The conditions under which WLAN client devices are and are not allowed to be used and operated. --Standard hardware and software configurations that must be implemented on WLAN client devices to ensure the appropriate level of security. --Limitations on how and when WLAN client’s device may be used, such as specific locations. --Avoid connecting to WLAN access points with WEP security due to the security issues with this protocol. - Guidelines on reporting losses of WLAN client devices and reporting WLAN security incidents. - Guidelines for the protection of WLAN client devices to reduce theft. Check Procedures: Interview the ISSO and/or the site wireless device administrator and determine if the site has a wireless remote access policy (or a wireless section in a general remote access policy). Verify the policy has been signed by the site AO, Commander, Director, or other appropriate managers. If a wireless remote access policy does not exist or is not signed, this is a finding.

Fix: F-27725r4_fix

Publish Wireless Remote Access Policy signed by the site AO, Commander, Director, or other appropriate authority.

a

The site physical security policy must include a statement if CMDs with digital cameras (still and video) are permitted or prohibited on or in the DoD facility.

Low - V-25036 - SV-30838r5_rule

RMF Control

Severity

L

CCI

Version

WIR-WRA-003

Vuln IDs

V-25036

Rule IDs

SV-30838r5_rule

Wireless client, networks, and data could be compromised if unapproved wireless remote access is used. In most cases, unapproved devices are not managed and configured as required by the appropriate STIG and the site’s overall network security controls are not configured to provide adequate security for unapproved devices. When listed in the SSP, the site has shown that security controls have been designed to account for the wireless devices.System AdministratorECWN-1

Checks: C-31260r5_chk

This requirement applies to mobile operating system (OS) CMDs. Work with traditional reviewer to review site’s physical security policy. Verify the site addresses CMDs with embedded cameras. If there is no written physical security policy outlining whether CMDs with cameras (still and video) are permitted or prohibited on or in the DoD facility, this is a finding.

Fix: F-27726r5_fix

Publish a site physical security policy that includes a statement if CMDs with cameras (still and video) are permitted or prohibited on or in the DoD facility.

Checks: C-12973r1_chk

Fix: F-14217r1_fix

Generate Mitigation Statement:

Checks: C-21324r1_chk

Fix: F-19140r1_fix

Generate Mitigation Statement:

Checks: C-21325r1_chk

Fix: F-20527r1_fix

Generate Mitigation Statement:

Checks: C-22224r1_chk

Fix: F-19223r1_fix

Generate Mitigation Statement:

Checks: C-22304r1_chk

Fix: F-19251r1_fix

Generate Mitigation Statement:

Checks: C-22462r1_chk

Fix: F-19390r1_fix

Generate Mitigation Statement:

Checks: C-22471r1_chk

Fix: F-19402r1_fix

Generate Mitigation Statement:

Checks: C-22554r1_chk

Fix: F-19503r1_fix

Generate Mitigation Statement:

Checks: C-22556r1_chk

Fix: F-19505r1_fix

Generate Mitigation Statement:

Checks: C-22569r1_chk

Fix: F-19506r1_fix

Generate Mitigation Statement:

Checks: C-22570r1_chk

Fix: F-19507r1_fix

Generate Mitigation Statement:

Checks: C-22571r2_chk

Fix: F-19508r2_fix

Generate Mitigation Statement:

Checks: C-22572r1_chk

Fix: F-19509r1_fix

Generate Mitigation Statement:

Checks: C-22573r1_chk

Fix: F-19510r1_fix

Generate Mitigation Statement:

Checks: C-22598r1_chk

Fix: F-19516r1_fix

Generate Mitigation Statement:

Checks: C-22599r1_chk

Fix: F-19517r1_fix

Generate Mitigation Statement:

Checks: C-22600r1_chk

Fix: F-19518r1_fix

Generate Mitigation Statement:

Checks: C-22601r1_chk

Fix: F-19519r1_fix

Generate Mitigation Statement:

Checks: C-22603r1_chk

Fix: F-19521r1_fix

Generate Mitigation Statement:

Checks: C-22604r1_chk

Fix: F-19522r1_fix

Generate Mitigation Statement:

Checks: C-22631r1_chk

Fix: F-19545r1_fix

Generate Mitigation Statement:

Checks: C-22632r1_chk

Fix: F-20528r1_fix

Generate Mitigation Statement:

Checks: C-22634r1_chk

Fix: F-19547r1_fix

Generate Mitigation Statement:

Checks: C-22635r1_chk

Fix: F-19549r1_fix

Generate Mitigation Statement:

Checks: C-22661r4_chk

Fix: F-19560r2_fix

Generate Mitigation Statement:

Checks: C-22759r1_chk

Fix: F-19690r1_fix

Generate Mitigation Statement:

Checks: C-22760r1_chk

Fix: F-19691r1_fix