Soaring Software Solutions TCMax 9.x V1R1

b

TCMax must initiate a session lock after a 15-minute period of inactivity.

AC-11 - Medium - CCI-000057 - V-281366 - SV-281366r1186136_rule

RMF Control

AC-11

Severity

M

CCI

CCI-000057

Version

TCMA-09-000002

Vuln IDs

V-281366

Rule IDs

SV-281366r1186136_rule

A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their application session prior to vacating the vicinity, applications need to identify when a user's application session has idled and act to initiate the session lock. The session lock is implemented at the point where session activity can be determined and/or controlled. This is typically at the operating system level and results in a system lock, but may be at the application level where the application interface window is secured instead.

Checks: C-85927r1185136_chk

Using an account of appropriate privileges to access TCMax, go to Settings >> Options. Under "Login and User Options", if "Automatically log user off after selected number of minutes." is not checked, and the "Number of minutes of idle time will log off the logged in user" is greater than 15, this is a finding.

Fix: F-85832r1186135_fix

1. Go to Settings >> Options. 2. Under "Login and User Options", check the box for "Automatically log user off after selected number of minutes.". 3. Set the "Number of minutes of idle time will log off the logged in user" to "15" or fewer. 4. Click "Save".

b

TCMax must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.

AC-7 - Medium - CCI-000044 - V-281367 - SV-281367r1185141_rule

RMF Control

AC-7

Severity

M

CCI

CCI-000044

Version

TCMA-09-000017

Vuln IDs

V-281367

Rule IDs

SV-281367r1185141_rule

By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced. Limits are imposed by locking the account.

Checks: C-85928r1185139_chk

1. Using an account of appropriate privileges to access TCMax, go to Settings >> User Options. 2. Click the "Configure" menu option at the top of the window, then click "Account Security Policy". 3. Click the "Account Lockout" tab. If the "Enable Account Lockout Policy" box is unchecked or if the "Number of failed login attempts" value is greater than "3", this is finding. If the "Timespan for failed logins (minutes)" is greater than "15", this is a finding.

Fix: F-85833r1185140_fix

1. Using an account of appropriate privileges to access TCMax, go to Settings >> User Options. 2. Click the "Configure" menu option at the top of the window, then click "Account Security Policy." 3. Click the "Account Lockout" tab. 4. Check the "Enable Account Lockout Policy" box. 5. Set the "Number of failed login attempts" value to "3" or fewer. 6. Set the "Timespan for failed logins (Minutes)" value to "15" or fewer. 7. Click "Save".

b

TCMax must protect audit information from any type of unauthorized read access.

AU-9 - Medium - CCI-000162 - V-281368 - SV-281368r1185144_rule

RMF Control

AU-9

Severity

M

CCI

CCI-000162

Version

TCMA-09-000040

Vuln IDs

V-281368

Rule IDs

SV-281368r1185144_rule

If audit data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult if not impossible to achieve. In addition, access to audit records provides information an attacker could potentially use to their advantage. To ensure the veracity of audit data, the information system and/or the application must protect audit information from any and all unauthorized access. This includes read, write, and copy access. This requirement can be achieved through multiple methods, which will depend upon system architecture and design. Commonly employed methods for protecting audit information include least privilege permissions as well as restricting the location and number of log file repositories. Additionally, applications with user interfaces to audit records must not allow for the unfettered manipulation of or access to those records via the application. If the application provides access to the audit data, the application becomes accountable for ensuring audit information is protected from unauthorized access. Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity.

Checks: C-85929r1185142_chk

Launch TCMax and cancel/fail the login process. If the Tools >> Log Search menu option is enabled, this is a finding.

Fix: F-85834r1185143_fix

1. Go to Settings >> Options. 2. Under "Login and User Options", enable the option to "Do not allow access to log search screen without logging in". 3. Click "Save".

b

TCMax must be configured to prohibit or restrict using organization-defined functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management Category Assurance List (PPSM CAL) and vulnerability assessments.

CM-7 - Medium - CCI-000382 - V-281369 - SV-281369r1195319_rule

RMF Control

CM-7

Severity

M

CCI

CCI-000382

Version

TCMA-09-000051

Vuln IDs

V-281369

Rule IDs

SV-281369r1195319_rule

Authenticity protection provides protection against man-in-the-middle attacks/session hijacking and the insertion of false information into sessions. Application communication sessions are protected using transport encryption protocols, such as TLS, which provides web applications with a means to be able to authenticate user sessions and encrypt application traffic. Session authentication can be single (one-way) or mutual (two-way) in nature. Single authentication authenticates the server for the client, whereas mutual authentication provides a means for both the client and the server to authenticate each other. This requirement applies to applications that use communications sessions. This includes, but is not limited to, web-based applications and service-oriented architectures (SOAs). This requirement addresses communications protection at the application session, versus the network packet, and establishes grounds for confidence at both ends of communications sessions in ongoing identities of other parties and in the validity of information transmitted. Depending on the required degree of confidentiality and integrity, web services/service oriented architecture (SOA) requires using TLS mutual authentication (two-way/bidirectional).

Checks: C-85930r1185145_chk

1. Using a Windows account of appropriate privileges to access the file system, open the file C:\ProgramData\Soaring Software Solutions\TCMax\Configuration Files\DatabaseConnections.xml. 2. Review the connection string attribute for Data Source. If the port specified in the Data Source is not approved by the PPSM CAL, this is a finding.

Fix: F-85835r1186137_fix

Configure the connection to use ports approved by the PPSM CAL.

b

TCMax must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).

IA-2 - Medium - CCI-000764 - V-281370 - SV-281370r1186141_rule

RMF Control

IA-2

Severity

M

CCI

CCI-000764

Version

TCMA-09-000052

Vuln IDs

V-281370

Rule IDs

SV-281370r1186141_rule

To ensure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. Organizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors). Organizational users (and any processes acting on behalf of users) must be uniquely identified and authenticated for all accesses, except the following. (i) Accesses explicitly identified and documented by the organization. Organizations document specific user actions that can be performed on the information system without identification or authentication; and (ii) Accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals in group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity.

Checks: C-85931r1186139_chk

1. Using an account of appropriate privileges to access TCMax, go to Settings >> Options >> General tab. 2. Under "Login and User Options", verify the following are enabled: - "Require someone to be logged in before you can perform an issue or turn-in". - "Do not allow access to log search screen without logging in". - "Restrict reports to those with permission only". - "Hide user id field on all screens". If any of these options are disabled, this is a finding.

Fix: F-85836r1186140_fix

1. Using an account of appropriate privileges to access TCMax, go to Settings >> Options >> General tab. 2. Under "Login and User Options", enable the following: - "Require someone to be logged in before you can perform an issue or turn-in". - "Do not allow access to log search screen without logging in". - "Restrict reports to those with permission only". - "Hide user id field on all screens". 3. Click "Save".

b

TCMax must enforce a minimum 15-character password length.

Medium - CCI-004066 - V-281371 - SV-281371r1186143_rule

RMF Control

Severity

M

CCI

CCI-004066

Version

TCMA-09-000062

Vuln IDs

V-281371

Rule IDs

SV-281371r1186143_rule

The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.

Checks: C-85932r1186142_chk

1. Using an account of appropriate privileges to access TCMax, go to Settings >> User Options. 2. Click the "Configure" menu option at the top of the window, then click "Account Security Policy". On the "Password Enforcement" tab, if the "Enable Password Enforcement Policy" box is unchecked or the "Minimum Length" value is less than "15", this is a finding.

Fix: F-85837r1185152_fix

1. Using an account of appropriate privileges to access TCMax, go to Settings >> User Options. 2. Click the "Configure" menu option at the top of the window, then click "Account Security Policy". 3. Check the "Enable Password Enforcement Policy" box. 4. Set the "Minimum Length" value to "15" or greater.

b

TCMax must enforce password complexity by requiring that at least one uppercase letter, one lowercase letter, and number, and one special character be used.

Medium - CCI-004066 - V-281372 - SV-281372r1186146_rule

RMF Control

Severity

M

CCI

CCI-004066

Version

TCMA-09-000063

Vuln IDs

V-281372

Rule IDs

SV-281372r1186146_rule

Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password is, the greater the number of possible combinations that need to be tested before the password is compromised. Complex passwords should consist of at least one uppercase letter, one lowercase letter, one number, and one special character. Special characters are those characters that are not alphanumeric. Examples include: ~ ! @ # $ % ^ *. Satisfies: SRG-APP-000166, SRG-APP-000167, SRG-APP-000168, SRG-APP-000169, SRG-APP-000870

Checks: C-85933r1186144_chk

1. Using an account of appropriate privileges to access TCMax, go to Settings >> User Options. 2. Click the "Configure" menu option at the top of the window, then click "Account Security Policy". On the Password Enforcement tab, if the "Enable Password Enforcement Policy" box or the "Complex Password" is unchecked, this is a finding.

Fix: F-85838r1186145_fix

1. Using an account of appropriate privileges to access TCMax, go to Settings >> User Options. 2. Click the "Configure" menu option at the top of the window, then click "Account Security Policy". 3. Check the "Enable Password Enforcement Policy" box and check the "Complex Password" box. 4. Click "Save".

b

TCMax must require the change of at least eight of the total number of characters when passwords are changed.

Medium - CCI-004066 - V-281373 - SV-281373r1186149_rule

RMF Control

Severity

M

CCI

CCI-004066

Version

TCMA-09-000067

Vuln IDs

V-281373

Rule IDs

SV-281373r1186149_rule

If the application allows the user to consecutively reuse extensive portions of passwords, this increases the chances of password compromise by increasing the window of opportunity for attempts at guessing and brute-force attacks. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. In other words, characters may be the same within the two passwords; however, the positions of the like characters must be different.

Checks: C-85934r1186147_chk

1. Using an account of appropriate privileges to access TCMax, go to Settings >> User Options. 2. Click the "Configure" menu option at the top of the window, then click "Account Security Policy". If the "Enable Password Enforcement Policy" box is unchecked, this is a finding. If the "Different Characters" is a number less than "8", this is a finding.

Fix: F-85839r1186148_fix

1. Using an account of appropriate privileges to access TCMax, go to Settings >> User Options. 2. Click the "Configure" menu option at the top of the window, then click "Account Security Policy". 3. Check the "Enable Password Enforcement Policy". 4. Set the "Different Characters" value to "8" or higher. 5. Click "Save".

b

TCMax must enforce 24 hours/1 day as the minimum password lifetime.

Medium - CCI-004066 - V-281374 - SV-281374r1186152_rule

RMF Control

Severity

M

CCI

CCI-004066

Version

TCMA-09-000070

Vuln IDs

V-281374

Rule IDs

SV-281374r1186152_rule

Enforcing a minimum password lifetime helps prevent repeated password changes to defeat the password reuse or history enforcement requirement. Restricting this setting limits the user's ability to change their password. Passwords must be changed at specific policy based intervals; however, if the application allows the user to immediately and continually change their password, then the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.

Checks: C-85935r1186150_chk

1. Using an account of appropriate privileges to access TCMax, go to Settings >> User Options. 2. Click the "Configure" menu option at the top of the window, then click "Account Security Policy". If "Enable Password Enforcement Policy" is unchecked, this is a finding. If "Minimum Password Life (Hours)" is less than "24", this is a finding.

Fix: F-85840r1186151_fix

1. Using an account of appropriate privileges to access TCMax, go to Settings >> User Options. 2. Click the "Configure" menu option at the top of the window, then click "Account Security Policy". 3. Ensure "Enable Password Enforcement Policy" is checked. 4. Ensure "Minimum Password Life (Hours)" is set to "24".

b

TCMax must enforce a 60-day maximum password lifetime restriction.

Medium - CCI-004066 - V-281375 - SV-281375r1186155_rule

RMF Control

Severity

M

CCI

CCI-004066

Version

TCMA-09-000071

Vuln IDs

V-281375

Rule IDs

SV-281375r1186155_rule

Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed at specific intervals. One method of minimizing this risk is to use complex passwords and periodically change them. If the application does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the system and/or application passwords could be compromised. This requirement does not include emergency administration accounts, which are meant for access to the application in case of failure. These accounts are not required to have maximum password lifetime restrictions.

Checks: C-85936r1186153_chk

1. Using an account of appropriate privileges to access TCMax, go to Settings >> User Options. 2. Click the "Configure" menu option at the top of the window, then click "Account Security Policy". If "Enable Password Enforcement Policy" is unchecked, this is a finding. If "Days Until Password Expires" is more than "60", this is a finding.

Fix: F-85841r1186154_fix

1. Using an account of appropriate privileges to access TCMax, go to Settings >> User Options. 2. Click the "Configure" menu option at the top of the window, then click "Account Security Policy". 3. Ensure "Enable Password Enforcement Policy" is checked. 4. Set "Days Until Password Expires" to "60" or fewer.

c

TCMax must protect the confidentiality and integrity of transmitted information.

SC-23 - High - CCI-001184 - V-281376 - SV-281376r1195320_rule

RMF Control

SC-23

Severity

H

CCI

CCI-001184

Version

TCMA-09-000093

Vuln IDs

V-281376

Rule IDs

SV-281376r1195320_rule

Without protection of the transmitted information, confidentiality and integrity may be compromised since unprotected communications can be intercepted and either read or altered. Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa. Authenticity protection provides protection against man-in-the-middle attacks/session hijacking and the insertion of false information into sessions. Application communication sessions are protected using transport encryption protocols such as TLS. TLS provides web applications with a means to authenticate user sessions and encrypt application traffic. Session authentication can be single (one-way) or mutual (two-way) in nature. Single authentication authenticates the server for the client, whereas mutual authentication provides a means for both the client and the server to authenticate each other. This requirement applies to applications that use communications sessions. This includes, but is not limited to, web-based applications and service-oriented architectures (SOAs). This requirement addresses communications protection at the application session versus the network packet, and establishes grounds for confidence at both ends of communications sessions in ongoing identities of other parties and in the validity of information transmitted. When transmitting data, applications need to leverage transmission protection mechanisms, such as TLS, TLS VPNs, or IPsec. Satisfies: SRG-APP-000219, SRG-APP-000439, SRG-APP-000440, SRG-APP-000441, SRG-APP-000442, SRG-APP-000895, SRG-APP-000900, SRG-APP-000905

Checks: C-85937r1185166_chk

1. Using a Windows account of appropriate privileges to access the file system, open the file C:\ProgramData\Soaring Software Solutions\TCMax\Configuration Files\DatabaseConnections.xml. 2. Review the attribute for Encrypt. If Encrypt = False, this is a finding.

Fix: F-85842r1185167_fix

1. Open the file C:\ProgramData\Soaring Software Solutions\TCMax\Configuration Files\DatabaseConnections.xml. 2. Edit the file to set Encrypt = True. Example file below: <Root> <PrimaryConnection DataSource="MicrosoftSqlServer" DataProvider="SqlClient"> <ConnectionString>Persist Security Info=False;Data Source=SERVER_NAME\INSTANCE_NAME;Initial Catalog=DB_NAME;Integrated Security=SSPI;Encrypt=True;TrustServerCertificate=False;MultipleActiveResultSets=True;Connection Timeout=15</ConnectionString> </PrimaryConnection> </Root>

b

TCMax must accept personal identity verification (PIV) credentials.

IA-2 - Medium - CCI-001953 - V-281377 - SV-281377r1186158_rule

RMF Control

IA-2

Severity

M

CCI

CCI-001953

Version

TCMA-09-000165

Vuln IDs

V-281377

Rule IDs

SV-281377r1186158_rule

Using PIV credentials facilitates standardization and reduces the risk of unauthorized access. DOD has mandated using the common access card (CAC) to support identity management and personal authentication for systems covered under HSPD 12, as well as a primary component of layered protection for national security systems. Satisfies: SRG-APP-000391, SRG-APP-000392

Checks: C-85938r1186156_chk

Using an account of appropriate privileges to access TCMax, go to Settings >> Options. Under "Login and User Options", if "Link Windows IDs to TCMax user accounts" is not checked, this is a finding. If "Close TCMax when Windows user account is locked" is not checked, this is a finding.

Fix: F-85843r1186157_fix

1. Using an account of appropriate privileges to access TCMax, go to Settings >> Options. 2. Under "Login and User Options", check the box for "Link Windows IDs to TCMax user accounts". 3. Check the box for "Close TCMax when Windows user account is locked". 4. Click "Save".

b

TCMax must install security-relevant software updates within the time period directed by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).

SI-2 - Medium - CCI-002605 - V-281378 - SV-281378r1195327_rule

RMF Control

SI-2

Severity

M

CCI

CCI-002605

Version

TCMA-09-000205

Vuln IDs

V-281378

Rule IDs

SV-281378r1195327_rule

Security flaws with software applications are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security vulnerabilities. Organizations (including any contractor to the organization) are required to promptly install security-relevant software updates (e.g., patches, service packs, and hot fixes). Flaws discovered during security assessments, continuous monitoring, incident response activities, or information system error handling must also be addressed expeditiously. Organization-defined time periods for updating security-relevant software may vary based on a variety of factors including, for example, the security category of the information system or the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw). This requirement will apply to software patch management solutions that are used to install patches across the enclave and also to applications themselves that are not part of that patch management solution. For example, many browsers today provide the capability to install their own patch software. Patch criticality, as well as system criticality will vary. Therefore, the tactical situations regarding the patch management process will also vary. This means that the time period used must be a configurable parameter. Time frames for application of security-relevant software updates may be dependent upon the Information Assurance Vulnerability Management (IAVM) process. The application will be configured to check for and install security-relevant software updates within an identified time period from the availability of the update. The specific time period will be defined by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).

Checks: C-85939r1185172_chk

Ensure there is a policy in place to update all relevant security patches. If no policy exists, this is a finding.

Fix: F-85844r1195326_fix

Work with the system owner to develop a policy to ensure security patches and the application version are up to date. Updates are posted to soaringsoftware.com and must be downloaded/installed by system owners. Soaring Software Solutions' newsletter details when new releases are available. 1. Using a web browser, go to soaringsoftware.com. 2. Click "Contact", then "Contact Support", and enter user information. In the message, request to be added to the newsletter distribution.

b

For password-based authentication, TCMax must require immediate selection of a new password upon account recovery.

Medium - CCI-004063 - V-281379 - SV-281379r1186169_rule

RMF Control

Severity

M

CCI

CCI-004063

Version

TCMA-09-000301

Vuln IDs

V-281379

Rule IDs

SV-281379r1186169_rule

Password-based authentication applies to passwords regardless of whether they are used in single-factor or multifactor authentication. Long passwords or passphrases are preferable over shorter passwords. Enforced composition rules provide marginal security benefits while decreasing usability. However, organizations may choose to establish certain rules for password generation (e.g., minimum character length for long passwords) under certain circumstances and can enforce this requirement in IA-5(1)(h). Account recovery can occur, for example, in situations when a password is forgotten. Cryptographically protected passwords include salted one-way cryptographic hashes of passwords. The list of commonly used, compromised, or expected passwords includes passwords obtained from previous breach corpuses, dictionary words, and repetitive or sequential characters. The list includes context-specific words, such as the name of the service, username, and derivatives thereof.

Checks: C-85940r1186159_chk

1. Using an account of appropriate privileges to access TCMax, go to Settings >> User Options. 2. Click the "Configure" menu option at the top of the window, then click "Account Security Policy". 3. Click the "Account Lockout" tab. If the "Enable Account Lockout Policy" box is unchecked, or the "Force Reset after User Reactivation" box is unchecked, this is a finding.

Fix: F-85845r1186169_fix

1. Using an account of appropriate privileges to access TCMax, go to Settings >> User Options. 2. Click the "Configure" menu option at the top of the window, then click "Account Security Policy". 3. Click the "Account Lockout" tab. 4. Check the "Enable Account Lockout Policy" box. 5. Check the "Force Reset after User Reactivation" box. 6. Click "Save".

b

TCMax must enforce a role-based access control (RBAC) policy over defined subjects and objects.

AC-3 - Medium - CCI-002169 - V-281380 - SV-281380r1186164_rule

RMF Control

AC-3

Severity

M

CCI

CCI-002169

Version

TCMA-09-000340

Vuln IDs

V-281380

Rule IDs

SV-281380r1186164_rule

RBAC enables users to control, at both broad and granular levels, what administrators and end users can do. RBAC also enables users to more closely align the roles assigned to users and administrators to the actual roles they hold within the organization.

Checks: C-85941r1186162_chk

Role-Based Access Control hierarchy is to be defined by the authorizing authority (AO). Separation of duties must be configured. 1. Using an account of appropriate privileges to access TCMax, go to Settings >> User Options. 2. Evaluate the users using the combo box in the top right to change users. 3. Ensure users have the minimal permissions required to perform their duties. 4. Verify least two users have different role types such as "admin" and "user". If only one assigned role exists, this is a finding. If users have excessive permissions, this is a finding.

Fix: F-85846r1186163_fix

Role-Based Access Control hierarchy is to be defined by the AO. Separation of duties must be configured. 1. Using an account of appropriate privileges to access TCMax, go to Settings >> User Options. 2. Assign minimal permissions to each user required to perform their job. 3. Assign two or more roles (as defined by the AO) to at least two different user types.

c

TCMax must be running a version supported by the vendor.

CM-6 - High - CCI-000366 - V-281381 - SV-281381r1186170_rule

RMF Control

CM-6

Severity

H

CCI

CCI-000366

Version

TCMA-09-000342

Vuln IDs

V-281381

Rule IDs

SV-281381r1186170_rule

Running the current version ensures any product updates have been addressed and tested by the vendor.

Checks: C-85942r1185181_chk

Inside the TCMax application, select "Help", then "About". If the product version is not 9.8 or greater, this is a finding.

Fix: F-85847r1185182_fix

Upgrade to the latest version of TCMax.

b

TCMax must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).

IA-2 - Medium - CCI-000764 - V-281382 - SV-281382r1186167_rule

RMF Control

IA-2

Severity

M

CCI

CCI-000764

Version

TCMA-09-000347

Vuln IDs

V-281382

Rule IDs

SV-281382r1186167_rule

To ensure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. Organizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors). Organizational users (and any processes acting on behalf of users) must be uniquely identified and authenticated for all accesses, except the following. (i) Accesses explicitly identified and documented by the organization. Organizations document specific user actions that can be performed on the information system without identification or authentication; and (ii) Accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals in group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity.

Checks: C-85943r1186165_chk

1. Using an account of appropriate privileges to access TCMax, go to Settings >> Options >> General tab. 2. Under "Login and User Options", ensure "Allow users to set item status without being logged in" is unchecked. If this option is enabled, this is a finding.

Fix: F-85848r1186166_fix

1. Using an account of appropriate privileges to access TCMax, go to Settings >> Options. 2. Under the Login and User Options, disable "Allow users to set item status without being logged in". 3. Click "Save".

Checks: C-85927r1185136_chk

Fix: F-85832r1186135_fix

Generate Mitigation Statement:

Checks: C-85928r1185139_chk

Fix: F-85833r1185140_fix

Generate Mitigation Statement:

Checks: C-85929r1185142_chk

Fix: F-85834r1185143_fix

Generate Mitigation Statement:

Checks: C-85930r1185145_chk

Fix: F-85835r1186137_fix

Generate Mitigation Statement:

Checks: C-85931r1186139_chk

Fix: F-85836r1186140_fix

Generate Mitigation Statement:

Checks: C-85932r1186142_chk

Fix: F-85837r1185152_fix

Generate Mitigation Statement:

Checks: C-85933r1186144_chk

Fix: F-85838r1186145_fix

Generate Mitigation Statement:

Checks: C-85934r1186147_chk

Fix: F-85839r1186148_fix

Generate Mitigation Statement:

Checks: C-85935r1186150_chk

Fix: F-85840r1186151_fix

Generate Mitigation Statement:

Checks: C-85936r1186153_chk

Fix: F-85841r1186154_fix

Generate Mitigation Statement:

Checks: C-85937r1185166_chk

Fix: F-85842r1185167_fix

Generate Mitigation Statement:

Checks: C-85938r1186156_chk

Fix: F-85843r1186157_fix

Generate Mitigation Statement:

Checks: C-85939r1185172_chk

Fix: F-85844r1195326_fix

Generate Mitigation Statement:

Checks: C-85940r1186159_chk

Fix: F-85845r1186169_fix

Generate Mitigation Statement:

Checks: C-85941r1186162_chk

Fix: F-85846r1186163_fix

Generate Mitigation Statement:

Checks: C-85942r1185181_chk

Fix: F-85847r1185182_fix

Generate Mitigation Statement:

Checks: C-85943r1186165_chk

Fix: F-85848r1186166_fix

Generate Mitigation Statement: