Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
Ensure the site maintains administrative oversight and control privileges of the computers. NOTE: The MOA will contain an agreement that allows the site to maintain administrative oversight and control privileges of the remote end point.
Define written agreements for contractors, partners, and other remote users to begin maintaining administrative oversight and control privileges.
Verify remote access gateway release and maintenance level. Research the vendor's vulnerability list and current version/revision. This can be obtained on the vendor's support page of their website.
When the system administator is notified that previously installed versions of the remote access device, the version will be tested and installed as soon as the mission permits. However, previous version with security vulnerabilities must be documented in a Plan of Action and Milestones (POAM).
Have the SA display the services running on the remote access device or underlying OS. CAVEAT: Anti-virus software running on the OS would be an exception to the above requirement. In fact, it is recommended that anti-virus software be implemented on any gateway, if supported. However, there are currently no specific configuration guidance.
The IAO will ensure unused management interfaces, ports, protocols and services are removed or disabled on devices providing remote access services to remote users.
Review the configuration of the remote access device (RAS/VPN). Verify the remote access policy is the primary means for configuring access control for user access. The centralized remote access policy should apply to all remote access devices so that there is a consistent security policy. Remote access portals and network extension are also handled in this access control policy. NOTE: Portal configuration and network extension configuration is handled in the access control policy.
Implement a centralized remote access policy for configuring and controlling access for remote users.
Have the site representative display the evidence of compliance. This feature must be implemented using a central access policy such as in a gateway or access control appliance. - Government-owned and managed endpoints; - Personally-owned but managed endpoints; - Unmanaged endpoints such as public kiosks or personal computers should limited access to Web-based applications; - Privileged or Administrative access; - Endpoints compliant with DoD required security configurations such as firewalls, antivirus, etc. - Endpoints not compliant with DoD required security configurations such as firewalls, antivirus software, etc.
Separate the users by conditions and assigned resources based on required minimum security conditions.
Verify that the device filter setting of the network authentication appliance is configured to force endpoint devices on the untrusted subnetwork to authenticate when attempting to access the network. In an environment where unmanaged devices are allowed remote access, devices on the untrusted side will not be set to bypass authentication. Filter lists may be set to use MAC, IP, or subnet address, and should automatically assign user roles to devices. Filters will not be configured to allow devices to bypass authentication or posture assessment.
Ensure the policy assessment device is configured to authenticate the endpoint devices before allowing access unto the trusted network.
Verify that access filters are set to perform device authentication before policy assessment is perfomed. Verify that an approved method for device authentication is used (i.e., 802.1x or EAP tunnelled within PPP (for dial-up).
The IAO will ensure that the end point attempting remote access are valid before proceeding with security assessment or remediation activities.
This setting may be sent from the assessment server, a central server, or from the remediation server. Verify that the user is notified and accepts (e.g., using an accept button) that remediation is needed and is about to begin.
Ensure that the remote access solution is configured to notify the remote user before proceeding with remediation of the user's endpoint device.
Verifty compliance by viewing the remote access policy server. Verify the remediation status for these machines and also the HBSS agent on the client is updated . Verify that a reminder is sent to the user and the SA periodically or at a minimum each time a policy assessment is performed.
Configure the remote access policy server or other enforcement device. Ensure endpoints that fail the NAC policy assessment that are not automatically remediated are flagged for manual or automated remediation.
Verify existence of a procedure for blacklisting and terminating when critical security issues are found during a security policy assessment.
Ensure during security policy assessment, a procedure exists such that when critical security issues are found that put the network at risk, the remote endpoint will be placed immediatly on the “blacklist” and the connection will be terminated.
Verify that the policy assessment device is not allowed to communicate with other hosts in the DMZ that do not perform security policy assement or remediation services.
Ensure that the policy assessment appliance or service is not allowed to communicate with unrelated host in the DMZ.
Review the assessment policies configured on the NAC device to ensure the required checks are included. The required checks are listed below: - Check anti-virus software is installed, enabled, and virus signatures and scan engine are up-to-date - Check host-based firewall is installed, enabled, and up-to-date - Check Host-based IDS (HIDS) is installed, enabled, and up-to-date - Check operating system is at minimum required version and update level - Check for the presence of file-sharing and peer-to-peer applications - Scan for known and unknown (zero-day) virus outbreaks If the remote access policy assessment solution does not include checks for all of the minimum required checks above, this is a finding.
Configure the assessment policy for the NAC device to scan remote endpoints prior to connection to an organization's network. The following are a minimum set of required checks: - Check anti-virus software is installed, enabled, and virus signatures and scan engine are up-to-date - Check host-based firewall is installed, enabled, and up-to-date - Check Host-based IDS (HIDS) is installed, enabled, and up-to-date - Check operating system is at minimum required version and update level - Check for the presence of file-sharing and peer-to-peer applications - Scan for known and unknown (zero-day) virus outbreaks
Verify compliance by checking the filter and configuration of the access control service/solution. Note: For unmanaged devices, only devices that have passed the scan will be admitted for full access. Remediation may not be possible since this often requires administrative access and the user should not have this access on his client PC. However, the device must be manually remediation by the owning entity and then re-assessed prior to allowing access.
Ensure that for endpoints that are not inspected and controlled by the site, the access control system/solution performs automated assessment.
Verify compliance by asking the site personel to provide documentation.
Use automated entry control components (e.g., NAC appliance, policy server) that is NIAP compliant.
Verify compliance by checking the configuration of the policy assessment server or other component which communicates with the HBSS client on the endpoint devices. Verify that communications are set for encrypted access.
Ensure that the communication between the endpoint agent and the policy enforcement device is encrypted.
Check compliance by interviewing the site representative. Ask if the enforcement system has an integrity checking mechanism. Do not document details of the procedure used.
Ensure that a method of integrity checking (e.g., a file or other check). Ensure that the installed endpoint agent .enforcement system has an integrity checking mechanism.
Interview the site personnel. If unmanaged endpoints are permitted access, ask if the agent is preconfigued with IP address ranges and other government information.
Ensure unmanaged endpoints, when allowed, are not preconfigued with agents containing sensitive network access information such as IP address ranges.
Review the authentication configuration of the policy assessment/enforcement device. Verify that it is configured to use a separate authentication server to perform user authentication.
Ensure the authentication configuration of the policy assessment/enforcement device is configured to use a separate authentication server to perform user authentication.
Verify that remediation server is configured as follows: – Will be separated from the policy assessment server on a separate subnet; – Will be separated from the internal protected enclave by a separate subnet; – The subnet configuration will comply with the requirement of the Network Infrastructure STIG; – Will incorporate and leverage use of DoD remediation tools when available; and – Will comply with the requirements of the applicable operating system STIG.
Ensure remediation server is configured as requrired, at a minimum.
Review the configuration of the device. Verify filters for the policy assessment device are set to take one of the approved action choices upon failure. Site is compliant if one of the following actions is perfomed in accordance with site policy. – Terminate the connection and place the device a “blacklist” to prevent future connection attempts until action is taken to remove the device from the blacklist; – Redirect traffic from the remote endpoint to the automated remediation subnet for connection to the remediation server; – Allow the device access to limited network services such as public web servers in the protected DMZ (must be approved by the DAA); – Allow the device and user full entry into the protected enclave but flag it for future remediation. With this option an automated reminder should be used to inform the user of the remediation status.
Ensure filters for the policy assessment device are set to take one of the approved action choices upon failure.
Verify that if the bypass procedure has been DAA approved by checking the documentation.
Document approval by the DAA for all access control bypass procedures.
Verify by examining the configuration of the policy assessment or enforcement server (e.g., NAC appliance). Examine the actions taken when the endpoint fails authentication comply with the requirement.
Where unmanaged devices are not allowed access, the IAO will ensure that remote endpoints that fail the device authentication the remote access request will be terminated.
Verify compliance by interviewing the NSO. The configuration of the policy enforcement device should also be examined. There are several ways to achieve compliance. In each case, the endpoint should not receive an IP address that can be used on the trusted side of the network. A DMZ, VLAN, or direct host-host communications may be used.
Ensure that endpoints accessing the remediation server will not have access to other network resources that are not part of the remediation process.
Verify configuration of the enforcement server/solution. Check to see if unmanaged devices are set to be reassessed once remediation actions are completed.
Ensure that unmanaged devices are set to be reassessed once remediation actions are completed.
Interview the network administrator or site representatives. Verify if system administrators are informed of the requirement to use only authorized endpoint devices when remotely accessing DoD networks and systems for configuration, management, or restricted access. Verify there is a configuration management process that ensures STIG compliance. For contractor owned equipment, verify systems used are documented and approved by a government representative.
Train individuals authorized to perform configuration, management, and other privileged tasks using remote access to use only government-owned or authorized devices. Establish a STIG compliance process. For contractor owned endpoints, obtain approval/authorization for configuration, access method, and compliance process from government representative. Configure systems for policy assessment (e.g., NAC) upon access if contractor devices are used.
Inspect a copy of the site’s user agreement. Verify the user agreement is signed by the remote users and has the minimum elements as follows: - The agreement will contain the type of access required by the user (i.e., privileged, end-user, remote access, wireless access, mobile access). - The agreement will contain the responsibilities, liabilities, and security measures (e.g., malicious code detection training) involved in the use of the remote access device. - Incident handling and reporting procedures are identified along with a designated point of contact. - The policy will contain general security requirements and practices and will be signed by the remote user. - If classified devices are used for remote access from an alternative work site, the remote user will adhere to DoD policy with regard to facility clearances, protection, storage, distributing, etc. - Government-owned hardware and software is used for official duty only. The employee is the only individual authorized to use this equipment. If site user agreements do not exist or are not compliant with the minimum requirements, this is a finding.
Develop documentation as required.
Inspect a copy of the site’s remote user agreement and Service Level Agreements. Verify one of these documents include the requirements as follows: – Are approved by the DAA; – Use devices that are capable of complying with applicable STIG requirements to the greatest extent possible (i.e., comply with all CAT 1 requirements applicable to the OS and other technology used); 1. The owner signs forfeiture agreement in case of a security incident; 2. The security policy on the device is actively scanned prior to allowing access to the DoD Enclave by the IAO; and 3. Full access to the DoD internal protected enclave is not permitted. Access will be restricted to a limited access subnet.
If unmanaged endpoints are used, ensure required documentation and agreements are completed in compliance with this requirement
Inspect a copy of the site’s security checklist, if available. This checklist may be incorporated into the user agreement or the user training. The checklist is different from the user agreement in that it incorporates all of the user's security responsibilities concerning remote computing and network security in general. Verify that documentation exists to show that users are required to read and sign this checklist or training material.
Ensure a checklist or detailed user training is used to inform the users of their security responsibilities.
Inspect a copy of the site’s user agreement. Verify user agreement has the current consent provision exactly as written by DoD for legal purposes.
Ensure remote user agreement contains a Standard Mandatory Notice and Consent Provision.
Inspect the user training material or the remote user checklist. Verify that the users are trained not to plug the DoD endpoint directly into the broadband modem. Users must be given assistace (e.g., checklist) on how to configure and and properly connect GFE into a properly configured broadband router or firewall appliance.
Ensure the user is trained not to plug the connect directly to the broadband modem but rather to use a correctly configured security gateway.
Review the user agreement or security checklist. Verify that it contains the instruction to configure home networking router or firewall appliances to implement NAT.
Update the remote user security checklist to include a check for the teleworker to configure the home networking router or firewall appliances to implement NAT.
Review user agreement or security checklist. Ensure users have been informed that their home network be configured to use the router or firewall to isolate the DoD endpoint from the other devices on the home network.
Update the remote access security checklist, the user agreement, or other training materials to show that users are trained to comply with the approved teleworker home network architecture.
Review the security checklist or user agreement. Verify that users have received information on the following best practices. – Changing device password on home network level devices such as routers and firewalls. - Configuring the device so that it cannot be administered from outside the home network, preventing external attackers from taking control of the device. – Configuring the device to silently ignore unsolicited requests sent to it, which essentially hides the device from malicious parties. – Checking for updates and applying them periodically, as explained in the vendor’s documentation—either automatically (typically daily or weekly) or manually (to be performed by the teleworker at least monthly) . – For broadband routers, turning off or disabling built-in wireless access points (AP) that are not being used. – The proper precautionary measures for a firewall appliance or broadband router vary.
Train users as required.
Verify by inspecting the training material or security checklist. An automated method where the NIC is disabled may be implemented.
Implement automated controls or train users to physically disconnect or disable NICs when no longer connected to the secure VPN.
Review the user training or security checklist to verify that users are trained on this requirement. If this is automatically enforced, have the IAO demonstrate this feature.
Update the user training or security checklist.
Interview the IAO. Ask if devices are permitted either through Service Level Agreements or DoD-owned which do not have anti-virus, firewall, or cannot be configured to meet DoD requirements. If such devices are permitted, this is a finding.
Ensure the DAA and system administrator have a policy that devices must contain anti-virus and firewall software which are compliant with DoD requirements of the Desktop STIG.
Verify use of NSA certified equipment and architecture by asking the site representative to demonstrate the products and encryption used. Verify compliance with the following requirements: – The solution is used in accordance with all NSA and DOD policy and guidelines. – The solution will use a High Assurance (Type 1) Link Encryptor to provide high assurance link protection (confidentiality, integrity, and authentication), using NSA-certified cryptographic components, between the remote user and DOD enclaves or other computing environments. A High Assurance (Type 1) Media Encryptor to provide high assurance protection (confidentiality and integrity), using NSA-certified cryptographic components, to a remote user’s hard-drive and removable media. – The NSA Type 1 link encryption device is kept in the user’s possession at all times or stored in accordance with policy applicable to classified storage. – The NSA Type 1 link encryption device is stored separately from the computer when not in use.
Ensure use of compliant architechture and equipment.
Interview the IAO. Ask if remote access equipment, endpoints, and communications equipment is government owned.
Ensure all equipment used for remote access solutions which process classified information is government owned and managed.
Ask the site representative for documentation or verify by inspecting the TLS configuration application. NOTE: The systems may use the NIST-preferred method of ephemeral Diffie-Helman, but new systems will have the capability to use RSA.
Ensure newly purchased systems have the capability to perform RSA key establishment.
Interview site representative or inspect the VPN encryption configuration on the TLS VPN appliance or server. NOTE: Prior to purchasing a TLS VPN, the site will verify the system has the capability to require HMAC-SHA-1. However, use of devices using SHA-1 hash functions is acceptable.
Whe purchasing an TLS VPN, ensure the system has the capability to require HMAC-SHA-1.
Verification will depend on the method used by the site to automate this functionality. Verify that end point failing to pass minimum and requried security configuration checks are not given full access to DoD non-public information with DAA approval. NOTE: The user will be presented with a limited portal which does not include access options for sensitive resources. (Required security checks will be identified and approved by the DAA or designated representative).
Ensure end point failing to pass minimum and required security configuration checks are not given full access to DoD non-public information with DAA approval.
Interview the IAO. Ask if users are allowed to process classified information from remote locations. Work with the traditional reviewers to determine if there is a classified handling/transmitting policy in place for remote access. Also, ask if classified information is tunnelled using communications channels which are not secured to the level of classification transmitted without complying with the DSAWG Position Paper requirements as follows: - C2: The policy is to minimize tunneling classified information over transport other than SIPRNet. The SIPRNet will be the network of choice for C2 traffic. - Classified C2, or related requirements, across the NIPRNet are specifically denied except to meet operationally urgent conditions as defined and approved by the DSAWG and the DISN DAAs. - Non-C2: The Local DAA may approve tunneling classified information across an unclassified IP infrastructure if deemed operationally necessary. This must be documented and approved by the Classified Connection Approval Office (CCAO) and the Classified Data Service Manager (DISA/GS21). Supported rationale will be presented to the CDSM. - Type 1 encryption will be employed. - Must be documented in the DIACAP Implementation Plan (DIP) - Termination of the tunnel will be in facilities authorized to process classified US Government information classified at the Secret level. For the use of an ISP, a GIG Waiver must be issued by the OSD GIG Waiver Panel. SCI will not be tunneled. This does not alter or supersede any other DoD or DCI guidance or policy. **This check applies to Enhanced Compliance Validation visits.
The IAO will ensure classified information is not transmitted over any communications system unless it is transmitted using approved NSA security devices in addition to approved security procedures and practices.
The system owner will identify security domain requirements in the DIACAP documentation. Each DIP must include a description of the sites architecture with the remote access equipment shown on the drawing. Verify that these documents will reflect the installation or modification of network communications devices used for network access devices that provide remote access services (e.g., appliances or servers such as RAS, VPN, remote security assessment, or policy appliances).
Verify DIACAP equipment list reflects changes made to the site’s remote access network devices.
Ensure remote access device traffic is configured using an approved architecture. All ingress traffic will be directed for inspected by the firewall and Network IDS/IPS. Because this traffic is required to be in an encrypted tunnel, the site may implement one of two approved architectures. 1. Terminate the tunnel at the external NIDS located between the site’s Approved Gateway (Service Delivery Router) and the premise router; or 2. Terminate at the remote access gateway and route the traffic to the IDS/IPS for inspection prior to forwarding into the protected LAN.
Architecture must use one of the approved options for ensuring that remote access ingress traffic will pass through and be inspected by the firewall and Network IDS/IPS.
Review network architecture with the network administrator. Verify compliance by inspecting the site network topology diagrams and the firewall interface configurations. Since many network diagrams are not kept up-to-date, walk through the connections with the network administrator to verify the diagrams are current. If the network device does not use an approved network isolation method (e.g., DMZ), this is a finding.
Use the network diagram in the Network Infrastructure STIG for guidance for placement of RAS server in the appropriated DMZ subnets.
View the configuration of the the RAS and/or remote VPN gateway. Verify that a AAA (authentication) server is required for privileged access to the remote access device by reviewing the authentication screen. Verify that the configuration requires the following: 1. Multi-factor authentication (e.g., PKI, SecureID, or DoD Alternate Token) using a AAA server; 2. Identification and personal authentication uses individually assigned accounts rather than group or shared accounts or authenticators; and 3. . Encryption using FIPS 140-2 compliant algorithms and encryption modules - (e.g., AES). Also verify that a network review has been performed using the Network Infrastructure STIG and the architecture complies with the In- and Out-of-band requirements of the appropriate Network Infrastructure STIG.
The remote access administrator will configure the remote access or VPN server to use the TACACS+, Radius or Diameter server for administrative access.
Verify the users are trained not to use public computers or kiosks to process government sensitive information. This may be placed in the User Agreement or the site's training materials.
Ensure users do not use public computers and kiosks to process, store, or transmit sensitive information without approal of the data owner.
interview the SA and ask if PKI is implemented on the endpoint's computer and configured for use by the email program..
Ensure the email solution on the remote access device has the ability to digitally sign messages.
Detailed Policy Requirements: The ISSO and the site wireless device administrator must ensure all wireless remote access users receive training on the following topics before they are authorized to access a DoD network via a wireless remote access device: - Maintaining physical control of the device. - Reducing exposure of sensitive data. - User authentication and content encryption requirements. - Enabling wireless interfaces only when needed. - Enable VPN connection to the DoD network immediately after establishing a wireless connection (using an approved VPN client). - All Internet browsing will be done via the VPN connection to the DoD network. - No split tunneling of VPN. - Locations where wireless remote access is authorized or not authorized (i.e., home, airport, hotel, etc.). - Wireless client configuration requirements. - Use of WPA2 Personal (AES) on home WLAN. - Home WLAN password and SSID requirements - Discontinue the use of devices suspected of being tampered with and notify the site ISSO. Check Procedures: Review site wireless device and/or IA awareness training material to verify it contains the required content. Note: Some training content may be listed in the User Agreement signed by the user. Verify site training records show authorized wireless remote access users received required training and training occurred before the users were issued a device. Check training records for approximately five users, picked at random. If wireless remote access users have not received required training, this is a finding.
Complete required training.
Detailed Policy Requirements: A site's Remote Access Policy will be written and signed by the site AO, Commander, Director, or other appropriate manager. Recommend the policy includes required security controls for the DoD-owned/operated wireless client (PDA, smartphone, or tablet): - Device unlock password requirements. - Client software patches kept up to date - Internet browsing through enterprise Internet gateway. - Device security policy managed by centrally-managed policy manager. - Procedures after client is lost, stolen, or other security incident occurs. - Configuration requirements of wireless client - Home WLAN authentication requirements. - Home WLAN SSID requirements. - Separate WLAN access point required for home WLAN. - 8+-character authentication password required for home WLAN. - Use of third-party Internet portals (kiosks) (approved or not approved). - Use of personally-owned or contractor-owned client devices (approved or not approved). - Implementation of health check of client device before connection is allowed. - Places where remote access is approved (home, hotels, airport, etc.). - Roles and responsibilities: --Which users or groups of users are and are not authorized to use organization's WLANs? --Which parties are authorized and responsible for installing and configuring APs and other WLAN equipment? - WLAN infrastructure security: --Physical security requirements for WLANs and WLAN devices, including limitations on the service areas of WLANs. --Types of information that may and may not be sent over WLANs, including acceptable use guidelines. - WLAN client device security: --The conditions under which WLAN client devices are and are not allowed to be used and operated. --Standard hardware and software configurations that must be implemented on WLAN client devices to ensure the appropriate level of security. --Limitations on how and when WLAN client’s device may be used, such as specific locations. --Avoid connecting to WLAN access points with WEP security due to the security issues with this protocol. - Guidelines on reporting losses of WLAN client devices and reporting WLAN security incidents. - Guidelines for the protection of WLAN client devices to reduce theft. Check Procedures: Interview the ISSO and/or the site wireless device administrator and determine if the site has a wireless remote access policy (or a wireless section in a general remote access policy). Verify the policy has been signed by the site AO, Commander, Director, or other appropriate managers. If a wireless remote access policy does not exist or is not signed, this is a finding.
Publish Wireless Remote Access Policy signed by the site AO, Commander, Director, or other appropriate authority.
This requirement applies to mobile operating system (OS) CMDs. Work with traditional reviewer to review site’s physical security policy. Verify the site addresses CMDs with embedded cameras. If there is no written physical security policy outlining whether CMDs with cameras (still and video) are permitted or prohibited on or in the DoD facility, this is a finding.
Publish a site physical security policy that includes a statement if CMDs with cameras (still and video) are permitted or prohibited on or in the DoD facility.