Unified Endpoint Management Server Security Requirements Guide

Version

SRG-APP-000023-UEM-000012

Vuln IDs

V-234286

Rule IDs

SV-234286r960768_rule

Enterprise environments make application account management challenging and complex. A manual process for account management functions adds the risk of a potential oversight or other error. A comprehensive application account management process that includes automation helps to ensure accounts designated as requiring attention are consistently and promptly addressed. Examples include, but are not limited to, using automation to take action on multiple accounts designated as inactive, suspended, or terminated or by disabling accounts located in non-centralized account stores such as multiple servers. This requirement applies to all account types, including individual/user, shared, group, system, guest/anonymous, emergency, developer/manufacturer/vendor, temporary, and service. The application must be configured to automatically provide account management functions and these functions must immediately enforce the organization's current account policy. The automated mechanisms may reside within the application itself or may be offered by the operating system or other infrastructure providing automated account management capabilities. Automated mechanisms may be comprised of differing technologies that when placed together contain an overall automated mechanism supporting an organization's automated account management requirements. Account management functions include: assignment of group or role membership; identifying account type; specifying user access authorizations (i.e., privileges); account removal, update, or termination; and administrative alerts. The use of automated mechanisms can include, for example: using email or text messaging to automatically notify account managers when users are terminated or transferred; using the information system to monitor account usage; and using automated telephonic notification to report atypical system account usage.

Checks: C-37471r613868_chk

Requirement is Not Applicable when UEM server is configured to use DoD Central Directory Service for administrator account authentication. Verify the UEM server provides automated mechanisms for supporting account management functions. If the UEM server does not provide automated mechanisms for supporting account management functions, this is a finding.

Fix: F-37436r613869_fix

Configure the UEM server to provide automated mechanisms for supporting account management functions.

b

The UEM server must automatically remove or disable temporary user accounts after 72 hours if supported by the UEM server.

AC-2 - Medium - CCI-000016 - V-234287 - SV-234287r960771_rule

RMF Control

AC-2

Severity

M

CCI

CCI-000016

Version

SRG-APP-000024-UEM-000013

Vuln IDs

V-234287

Rule IDs

SV-234287r960771_rule

If temporary user accounts remain active when no longer needed or for an excessive period, these accounts may be used to gain unauthorized access. To mitigate this risk, automated termination of all temporary user accounts must be set upon account creation. Temporary user accounts are established as part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. If temporary user accounts are used, the application must be configured to automatically terminate these types of accounts after a DoD-defined time period of 72 hours. To address access requirements, many application developers choose to integrate their applications with enterprise-level authentication/access mechanisms meeting or exceeding access control policy requirements. Such integration allows the application developer to off-load those access control functions and focus on core application features and functionality.

Checks: C-37472r613871_chk

Requirement is Not Applicable when the UEM server is configured to use DoD Central Directory Service for administrator account authentication. Verify the UEM server automatically removes or disables temporary user accounts after 72 hours, if supported by the UEM server. If the UEM server does not automatically remove or disable temporary user accounts after 72 hours, if supported by the UEM server, this is a finding.

Fix: F-37437r613872_fix

Configure the UEM server to automatically remove or disable temporary user accounts after 72 hours, if supported by the UEM server.

b

The UEM server must automatically disable accounts after a 35-day period of account inactivity.

AC-2 - Medium - CCI-000017 - V-234288 - SV-234288r960774_rule

RMF Control

AC-2

Severity

M

CCI

CCI-000017

Version

SRG-APP-000025-UEM-000014

Vuln IDs

V-234288

Rule IDs

SV-234288r960774_rule

Attackers that are able to exploit an inactive account can potentially obtain and maintain undetected access to an application. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained. Applications need to track periods of user inactivity and disable accounts after 35 days of inactivity. Such a process greatly reduces the risk that accounts will be hijacked, leading to a data compromise. To address access requirements, many application developers choose to integrate their applications with enterprise-level authentication/access mechanisms that meet or exceed access control policy requirements. Such integration allows the application developer to off-load those access control functions and focus on core application features and functionality. This policy does not apply to either emergency accounts or infrequently used accounts. Infrequently used accounts are local login administrator accounts used by system administrators when network or normal logon/access is not available. Emergency accounts are administrator accounts created in response to crisis situations. Satisfies:FMT_SMF.1(2)b. Reference:PP-MDM-431027

Checks: C-37473r613874_chk

Requirement is Not Applicable when the UEM server is configured to use DoD Central Directory Service for administrator account authentication. Verify the UEM server automatically disables accounts after a 35-day period of account inactivity. If the UEM server does not automatically disable accounts after a 35-day period of account inactivity, this is a finding.

Fix: F-37438r613875_fix

Configure the UEM server to automatically disable accounts after a 35-day period of account inactivity.

b

The UEM server must automatically audit account creation.

AC-2 - Medium - CCI-000018 - V-234289 - SV-234289r960777_rule

RMF Control

AC-2

Severity

M

CCI

CCI-000018

Version

SRG-APP-000026-UEM-000015

Vuln IDs

V-234289

Rule IDs

SV-234289r960777_rule

Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to simply create a new account. Auditing of account creation is one method for mitigating this risk. A comprehensive account management process will ensure an audit trail documents the creation of application user accounts and, as required, notifies administrators and/or application owners exists. Such a process greatly reduces the risk that accounts will be surreptitiously created and provides logging that can be used for forensic purposes. To address access requirements, many application developers choose to integrate their applications with enterprise-level authentication/access/auditing mechanisms meeting or exceeding access control policy requirements. Such integration allows the application developer to off-load those access control functions and focus on core application features and functionality. Satisfies:FAU_ALT_EXT.1.1, FAU_GEN.1.1(1), FMT_SMF.1.1(2)c.8 Reference:PP-MDM-411065, PP-MDM-412000

Checks: C-37474r613877_chk

Requirement is Not Applicable when UEM server is configured to use DoD Central Directory Service for administrator account authentication. Verify the UEM server automatically audits account creation. If the UEM server does not automatically audit account creation, this is a finding.

Fix: F-37439r613878_fix

Configure the UEM server to automatically audit account creation.

b

The UEM server must automatically audit account modification.

AC-2 - Medium - CCI-001403 - V-234290 - SV-234290r960780_rule

RMF Control

AC-2

Severity

M

CCI

CCI-001403

Version

SRG-APP-000027-UEM-000016

Vuln IDs

V-234290

Rule IDs

SV-234290r960780_rule

Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to simply modify an existing account. Auditing of account creation is one method for mitigating this risk. A comprehensive account management process will ensure an audit trail documents the creation of application user accounts and, as required, notifies administrators and/or application owners exists. Such a process greatly reduces the risk that accounts will be surreptitiously created and provides logging that can be used for forensic purposes. To address access requirements, many application developers choose to integrate their applications with enterprise-level authentication/access/auditing mechanisms meeting or exceeding access control policy requirements. Such integration allows the application developer to off-load those access control functions and focus on core application features and functionality. Satisfies:FAU_ALT_EXT.1.1, FAU_GEN.1.1(1), FMT_SMF.1.1(2)c.8 Reference:PP-MDM-411065, PP-MDM-412000

Checks: C-37475r613880_chk

Requirement is Not Applicable when UEM server is configured to use DoD Central Directory Service for administrator account authentication. Verify the UEM server automatically audits account modification. If the UEM server does not automatically audit account modification, this is a finding.

Fix: F-37440r613881_fix

Configure the UEM server to automatically audit account modification.

b

The UEM server must automatically audit account disabling actions.

AC-2 - Medium - CCI-001404 - V-234291 - SV-234291r960783_rule

RMF Control

AC-2

Severity

M

CCI

CCI-001404

Version

SRG-APP-000028-UEM-000017

Vuln IDs

V-234291

Rule IDs

SV-234291r960783_rule

When application accounts are disabled, user accessibility is affected. Once an attacker establishes access to an application, the attacker often attempts to disable authorized accounts to disrupt services or prevent the implementation of countermeasures. Auditing account disabling actions provides logging that can be used for forensic purposes. To address access requirements, many application developers choose to integrate their applications with enterprise-level authentication/access/audit mechanisms meeting or exceeding access control policy requirements. Such integration allows the application developer to off-load those access control functions and focus on core application features and functionality. Satisfies:FAU_ALT_EXT.1.1, FAU_GEN.1.1(1), FMT_SMF.1.1(2)c.8 Reference:PP-MDM-411065, PP-MDM-412000

Checks: C-37476r613883_chk

Requirement is Not Applicable when the UEM server is configured to use DoD Central Directory Service for administrator account authentication. Verify the UEM server automatically audits account disabling actions. If the UEM server does not automatically audit account disabling actions, this is a finding.

Fix: F-37441r613884_fix

Configure the UEM server to automatically audit account disabling actions.

b

The UEM server must automatically audit account removal actions.

AC-2 - Medium - CCI-001405 - V-234292 - SV-234292r960786_rule

RMF Control

AC-2

Severity

M

CCI

CCI-001405

Version

SRG-APP-000029-UEM-000018

Vuln IDs

V-234292

Rule IDs

SV-234292r960786_rule

When application accounts are removed, user accessibility is affected. Once an attacker establishes access to an application, the attacker often attempts to remove authorized accounts to disrupt services or prevent the implementation of countermeasures. Auditing account removal actions provides logging that can be used for forensic purposes. To address access requirements, many application developers choose to integrate their applications with enterprise-level authentication/access/audit mechanisms meeting or exceeding access control policy requirements. Such integration allows the application developer to off-load those access control functions and focus on core application features and functionality. Satisfies:FAU_ALT_EXT.1.1, FAU_GEN.1.1(1), FMT_SMF.1.1(2)c.8 Reference:PP-MDM-411065, PP-MDM-412000

Checks: C-37477r613886_chk

Requirement is Not Applicable when the UEM server is configured to use DoD Central Directory Service for administrator account authentication. Verify the UEM server automatically audits account removal actions. If the UEM server does not automatically audit account removal actions, this is a finding.

Fix: F-37442r613887_fix

Configure the UEM server to automatically audit account removal actions.

b

The UEM server must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.

AC-7 - Medium - CCI-000044 - V-234310 - SV-234310r960840_rule

RMF Control

AC-7

Severity

M

CCI

CCI-000044

Version

SRG-APP-000065-UEM-000036

Vuln IDs

V-234310

Rule IDs

SV-234310r960840_rule

By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced. Limits are imposed by locking the account. Satisfies:FMT_SMF.1(2)b. Reference:PP-MDM-431028

Checks: C-37495r617396_chk

Requirement is Not Applicable when the UEM server is configured to use DoD Central Directory Service for administrator account authentication. Verify the UEM server enforces the limit of three consecutive invalid logon attempts by a user during a 15-minute time period. If the UEM server does not enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period, this is a finding.

Fix: F-37460r613941_fix

Configure the UEM server to enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.

b

The UEM server must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the application.

AC-8 - Medium - CCI-000048 - V-234311 - SV-234311r960843_rule

RMF Control

AC-8

Severity

M

CCI

CCI-000048

Version

SRG-APP-000068-UEM-000037

Vuln IDs

V-234311

Rule IDs

SV-234311r960843_rule

Display of the DoD-approved use notification before granting access to the application ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. The banner must be formatted in accordance with DTM-08-060. Use the following verbiage for applications that can accommodate banners of 1300 characters: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner: "I've read & consent to terms in IS user agreem't." Satisfies:FTA_TAB.1.1, FMT_SMF.1.1(2) c.2 Reference:PP-MDM-411056

Checks: C-37496r613943_chk

Verify the UEM server displays the Standard Mandatory DoD Notice and Consent Banner before granting access to the application. If the UEM server does not display the Standard Mandatory DoD Notice and Consent Banner before granting access to the application, this is a finding.

Fix: F-37461r613944_fix

Configure the UEM server to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the application.

a

The UEM server must retain the access banner until the user acknowledges acceptance of the access conditions.

AC-8 - Low - CCI-000050 - V-234312 - SV-234312r960846_rule

RMF Control

AC-8

Severity

L

CCI

CCI-000050

Version

SRG-APP-000069-UEM-000038

Vuln IDs

V-234312

Rule IDs

SV-234312r960846_rule

The banner must be acknowledged by the user prior to allowing the user access to the application. This provides assurance that the user has seen the message and accepted the conditions for access. If the consent banner is not acknowledged by the user, DoD will not be in compliance with system use notifications required by law. To establish acceptance of the application usage policy, a click-through banner at application logon is required. The application must prevent further activity until the user executes a positive action to manifest agreement by clicking on a box indicating "OK". Satisfies:FTA_TAB.1.1 Reference:PP-MDM-413003

Checks: C-37497r613946_chk

Verify the UEM server retains the access banner until the user acknowledges acceptance of the access conditions. If the UEM server does not retain the access banner until the user acknowledges acceptance of the access conditions, this is a finding.

Fix: F-37462r613947_fix

Configure the UEM server to retain the access banner until the user acknowledges acceptance of the access conditions.

b

The UEM server must protect against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation.

AU-10 - Medium - CCI-000166 - V-234318 - SV-234318r960864_rule

RMF Control

AU-10

Severity

M

CCI

CCI-000166

Version

SRG-APP-000080-UEM-000044

Vuln IDs

V-234318

Rule IDs

SV-234318r960864_rule

Without non-repudiation, it is impossible to positively attribute an action to an individual (or process acting on behalf of an individual). Non-repudiation services can be used to determine if information originated from a particular individual, or if an individual took specific actions (e.g., sending an email, signing a contract, approving a procurement request) or received specific information. Non-repudiation protects individuals against later claims by an author of not having authored a particular document, a sender of not having transmitted a message, a receiver of not having received a message, or a signatory of not having signed a document. The application will be configured to provide non-repudiation services for an organization-defined set of commands that are used by the user (or processes action on behalf of the user). DoD PKI provides for non-repudiation through the use of digital signatures. Non-repudiation requirements will vary from one application to another and will be defined based on application functionality, data sensitivity, and mission requirements. Satisfies:FCS_COP.1.1(3), FCS_COP.1.1(4)

Checks: C-37503r613964_chk

Verify the UEM server protects against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation. If the UEM server does not protect against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation this is a finding.

Fix: F-37468r613965_fix

Configure the UEM server to protect against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation.

b

The UEM server must provide audit record generation capability for DoD-defined auditable events within all application components.

AU-12 - Medium - CCI-000169 - V-234323 - SV-234323r960879_rule

RMF Control

AU-12

Severity

M

CCI

CCI-000169

Version

SRG-APP-000089-UEM-000049

Vuln IDs

V-234323

Rule IDs

SV-234323r960879_rule

Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. Audit records can be generated from various components within the application (e.g., process, module). Certain specific application functionalities may be audited as well. The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records. DoD has defined the list of events for which the application will provide an audit record generation capability as the following: (i) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels); (ii) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; and (iii) All account creation, modification, disabling, and termination actions. DoD Required auditable events: - Change in enrollment status - Failure to apply policies to a mobile device - Start up and shut down of the UEM System - All administrative actions - Commands issued to the UEM Agent - Server component failure - All system alerts, including system integrity verification failures Satisfies:FAU_ALT_EXT.1.1, FAU_GEN.1.1(1), FMT_SMF.1.1(2)c.8 Reference:PP-MDM-411065, PP-MDM-412000

Checks: C-37508r613979_chk

Verify the UEM server provides audit record generation capability for DoD-defined auditable events within all application components. If the UEM server does not provide audit record generation capability for DoD-defined auditable events within all application components, this is a finding.

Fix: F-37473r613980_fix

Configure the UEM server to provide audit record generation capability for DoD-defined auditable events within all application components.

b

The UEM server must be configured to provide audit records in a manner suitable for the Authorized Administrators to interpret the information.

AU-12 - Medium - CCI-000169 - V-234324 - SV-234324r960879_rule

RMF Control

AU-12

Severity

M

CCI

CCI-000169

Version

SRG-APP-000089-UEM-000050

Vuln IDs

V-234324

Rule IDs

SV-234324r960879_rule

Successful incident response and auditing relies on timely, accurate system information and analysis in order to allow the organization to identify and respond to potential incidents in a proficient manner. If the application does not provide the ability to centrally review the application logs, forensic analysis is negatively impacted. Segregation of logging data to multiple disparate computer systems is counterproductive and makes log analysis and log event alarming difficult to implement and manage, particularly when the system or application has multiple logging components written to different locations or systems. Automated mechanisms for centralized reviews and analyses include, for example, Security Information Management products. Satisfies:FAU_SAR.1.2 Reference:PP-MDM-413050

Checks: C-37509r613982_chk

Verify the UEM server provides audit records in a manner suitable for the Authorized Administrators to interpret the information. If the UEM server does not provide audit records in a manner suitable for the Authorized Administrators to interpret the information, this is a finding.

Fix: F-37474r613983_fix

Configure the UEM server to be configured to provide audit records in a manner suitable for the Authorized Administrators to interpret the information.

b

The UEM server must be configured to allow only specific administrator roles to select which auditable events are to be audited.

AU-12 - Medium - CCI-000171 - V-234325 - SV-234325r960882_rule

RMF Control

AU-12

Severity

M

CCI

CCI-000171

Version

SRG-APP-000090-UEM-000051

Vuln IDs

V-234325

Rule IDs

SV-234325r960882_rule

Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records. Satisfies:FMT_SMR.1.1(1) Reference:PP-MDM-411058

Checks: C-37510r613985_chk

Verify the UEM server allows only specific administrator roles to select which auditable events are to be audited. If the UEM server does not allow only specific administrator roles to select which auditable events are to be audited, this is a finding.

Fix: F-37475r613986_fix

Configure the UEM server to be configured to allow only specific administrator roles to select which auditable events are to be audited.

b

The UEM server must generate audit records when successful/unsuccessful attempts to access privileges occur.

AU-12 - Medium - CCI-000172 - V-234326 - SV-234326r960885_rule

RMF Control

AU-12

Severity

M

CCI

Version

SRG-APP-000091-UEM-000052

Vuln IDs

V-234326

Rule IDs

SV-234326r960885_rule

Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies:FAU_GEN.1.1(1)

Checks: C-37511r613988_chk

Verify the UEM server generates audit records when successful/unsuccessful attempts to access privileges occur. If the UEM server does not generate audit records when successful/unsuccessful attempts to access privileges occur, this is a finding.

Fix: F-37476r613989_fix

Configure the UEM server to generate audit records when successful/unsuccessful attempts to access privileges occur.

b

The UEM server must initiate session auditing upon startup.

AU-14 - Medium - CCI-001464 - V-234327 - SV-234327r960888_rule

RMF Control

AU-14

Severity

M

CCI

CCI-001464

Version

SRG-APP-000092-UEM-000053

Vuln IDs

V-234327

Rule IDs

SV-234327r960888_rule

If auditing is enabled late in the startup process, the actions of some start-up processes may not be audited. Some audit systems also maintain state information only available if auditing is enabled before a given process is created. Satisfies:FAU_GEN.1.1(1)

Checks: C-37512r613991_chk

Verify the UEM server initiate session auditing upon startup. If the UEM server does not initiate session auditing upon startup, this is a finding.

Fix: F-37477r613992_fix

Configure the UEM server to initiate session auditing upon startup.

b

The UEM server must be configured to produce audit records containing information to establish what type of events occurred.

AU-3 - Medium - CCI-000130 - V-234328 - SV-234328r960891_rule

RMF Control

AU-3

Severity

M

CCI

CCI-000130

Version

SRG-APP-000095-UEM-000055

Vuln IDs

V-234328

Rule IDs

SV-234328r960891_rule

Without establishing what type of event occurred, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. Audit record content that may be necessary to satisfy the requirement of this policy includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Associating event types with detected events in the application and audit logs provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured application. Satisfies:FAU_GEN.1.2(1) Reference:PP-MDM-412060

Checks: C-37513r613994_chk

Verify the UEM server produces audit records containing information to establish what type of events occurred. If the UEM server does not produce audit records containing information to establish what type of events occurred, this is a finding.

Fix: F-37478r613995_fix

Configure the UEM server to be configured to produce audit records containing information to establish what type of events occurred.

b

The UEM server must be configured to produce audit records containing information to establish when (date and time) the events occurred.

AU-3 - Medium - CCI-000131 - V-234329 - SV-234329r960894_rule

RMF Control

AU-3

Severity

M

CCI

CCI-000131

Version

SRG-APP-000096-UEM-000056

Vuln IDs

V-234329

Rule IDs

SV-234329r960894_rule

Without establishing when events occurred, it is impossible to establish, correlate, and investigate the events relating to an incident. In order to compile an accurate risk assessment, and provide forensic analysis, it is essential for security personnel to know when events occurred (date and time). Associating event types with detected events in the application and audit logs provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured application. Satisfies:FAU_GEN.1.2(1) Reference:PP-MDM-412060

Checks: C-37514r613997_chk

Verify the UEM server produces audit records containing information to establish when (date and time) the events occurred. If the UEM server does not produce audit records containing information to establish when (date and time) the events occurred, this is a finding.

Fix: F-37479r613998_fix

Configure the UEM server to be configured to produce audit records containing information to establish when (date and time) the events occurred.

b

The UEM server must be configured to produce audit records containing information to establish where the events occurred.

AU-3 - Medium - CCI-000132 - V-234330 - SV-234330r960897_rule

RMF Control

AU-3

Severity

M

CCI

CCI-000132

Version

SRG-APP-000097-UEM-000057

Vuln IDs

V-234330

Rule IDs

SV-234330r960897_rule

Failure to generate these audit records makes it more difficult to identify or investigate attempted or successful compromises, potentially causing incidents to last longer than necessary. Satisfies:FAU_GEN.1.2(1) Reference:PP-MDM-412060

Checks: C-37515r614000_chk

Verify the UEM server produces audit records containing information to establish where the events occurred. If the UEM server does not produce audit records containing information to establish where the events occurred, this is a finding.

Fix: F-37480r614001_fix

Configure the UEM server to be configured to produce audit records containing information to establish where the events occurred.

b

The UEM server must be configured to produce audit records containing information to establish the source of the events.

AU-3 - Medium - CCI-000133 - V-234331 - SV-234331r960900_rule

RMF Control

AU-3

Severity

M

CCI

CCI-000133

Version

SRG-APP-000098-UEM-000058

Vuln IDs

V-234331

Rule IDs

SV-234331r960900_rule

Without establishing the source of the event, it is impossible to establish, correlate, and investigate the events leading up to an outage or attack. In addition to logging where events occur within the application, the application must also produce audit records that identify the application itself as the source of the event. In the case of centralized logging, the source would be the application name accompanied by the host or client name. In order to compile an accurate risk assessment, and provide forensic analysis, it is essential for security personnel to know the source of the event, particularly in the case of centralized logging. Associating information about the source of the event within the application provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured application. Satisfies:FAU_GEN.1.2(1) Reference:PP-MDM-412060

Checks: C-37516r614003_chk

Verify the UEM server produces audit records containing information to establish the source of the events. If the UEM server does not produce audit records containing information to establish the source of the events, this is a finding.

Fix: F-37481r614004_fix

Configure the UEM server to be configured to produce audit records containing information to establish the source of the events.

b

The UEM server must be configured to produce audit records that contain information to establish the outcome of the events.

AU-3 - Medium - CCI-000134 - V-234332 - SV-234332r960903_rule

RMF Control

AU-3

Severity

M

CCI

CCI-000134

Version

SRG-APP-000099-UEM-000059

Vuln IDs

V-234332

Rule IDs

SV-234332r960903_rule

Without information about the outcome of events, security personnel cannot make an accurate assessment as to whether an attack was successful or if changes were made to the security state of the system. Event outcomes can include indicators of event success or failure and event-specific results (e.g., the security state of the information system after the event occurred). As such, they also provide a means to measure the impact of an event and help authorized personnel to determine the appropriate response. Satisfies:FAU_GEN.1.2(1) Reference:PP-MDM-412060

Checks: C-37517r614006_chk

Verify the UEM server produces audit records that contain information to establish the outcome of the events. If the UEM server does not produce audit records that contain information to establish the outcome of the events, this is a finding.

Fix: F-37482r614007_fix

Configure the UEM server to be configured to produce audit records that contain information to establish the outcome of the events.

b

The UEM server must be configured to generate audit records containing information that establishes the identity of any individual or process associated with the event.

AU-3 - Medium - CCI-001487 - V-234333 - SV-234333r960906_rule

RMF Control

AU-3

Severity

M

CCI

CCI-001487

Version

SRG-APP-000100-UEM-000060

Vuln IDs

V-234333

Rule IDs

SV-234333r960906_rule

Without information that establishes the identity of the subjects (i.e., users or processes acting on behalf of users) associated with the events, security personnel cannot determine responsibility for the potentially harmful event. Event identifiers (if authenticated or otherwise known) include, but are not limited to, user database tables, primary key values, user names, or process identifiers. Satisfies:FAU_GEN.1.2(1) Reference:PP-MDM-412060

Checks: C-37518r614009_chk

Verify the UEM server generates audit records containing information that establishes the identity of any individual or process associated with the event. If the UEM server does not generate audit records containing information that establishes the identity of any individual or process associated with the event, this is a finding.

Fix: F-37483r614010_fix

Configure the UEM server to be configured to generate audit records containing information that establishes the identity of any individual or process associated with the event.

b

The UEM server must be configured to generate audit records containing the full-text recording of privileged commands or the individual identities of group account users.

AU-3 - Medium - CCI-000135 - V-234334 - SV-234334r960909_rule

RMF Control

AU-3

Severity

M

CCI

CCI-000135

Version

SRG-APP-000101-UEM-000061

Vuln IDs

V-234334

Rule IDs

SV-234334r960909_rule

Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. Organizations consider limiting the additional audit information to only that information explicitly needed for specific audit requirements. The additional information required is dependent on the type of information (i.e., sensitivity of the data and the environment within which it resides). At a minimum, the organization must audit either full-text recording of privileged commands or the individual identities of group users, or both. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. In addition, the application must have the capability to include organization-defined additional, more detailed information in the audit records for audit events. Satisfies:FAU_GEN.1.2(1) Reference:PP-MDM-412060

Checks: C-37519r614012_chk

Verify the UEM server generates audit records containing the full-text recording of privileged commands or the individual identities of group account users. If the UEM server does not generate audit records containing the full-text recording of privileged commands or the individual identities of group account users, this is a finding.

Fix: F-37484r614013_fix

Configure the UEM server to be configured to generate audit records containing the full-text recording of privileged commands or the individual identities of group account users.

b

The UEM SRG must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.

AU-5 - Medium - CCI-000139 - V-234335 - SV-234335r960912_rule

RMF Control

AU-5

Severity

M

CCI

CCI-000139

Version

SRG-APP-000108-UEM-000062

Vuln IDs

V-234335

Rule IDs

SV-234335r960912_rule

It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability and system operation may be adversely affected. Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. This requirement applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the centralized audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both. Satisfies:FAU_ALT_EXT.1.1 Reference:PP-MDM-412059

Checks: C-37520r614015_chk

Verify the UEM server alerts the ISSO and SA (at a minimum) in the event of an audit processing failure. If the UEM server does not alert the ISSO and SA (at a minimum) in the event of an audit processing failure, this is a finding.

Fix: F-37485r614016_fix

Configure the UEM server to alert the ISSO and SA (at a minimum) in the event of an audit processing failure.

b

The UEM server must use host operating system clocks to generate time stamps for audit records.

AU-8 - Medium - CCI-000159 - V-234340 - SV-234340r960927_rule

RMF Control

AU-8

Severity

M

CCI

CCI-000159

Version

SRG-APP-000116-UEM-000067

Vuln IDs

V-234340

Rule IDs

SV-234340r960927_rule

Without an internal clock used as the reference for the time stored on each event to provide a trusted common reference for the time, forensic analysis would be impeded. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. If the internal clock is not used, the system may not be able to provide time stamps for log messages. Additionally, externally generated time stamps may not be accurate. Applications can use the capability of an operating system or purpose-built module for this purpose. Satisfies: OE.TIMESTAMP, FAU_GEN.1.2(1)

Checks: C-37525r614030_chk

Verify the UEM server uses host operating system clocks to generate time stamps for audit records. If the UEM server does not use host operating system clocks to generate time stamps for audit records, this is a finding

Fix: F-37490r614031_fix

Configure the UEM server to use host operating system clocks to generate time stamps for audit records.

b

The UEM server must protect audit information from any type of unauthorized read access.

AU-9 - Medium - CCI-000162 - V-234341 - SV-234341r960930_rule

RMF Control

AU-9

Severity

M

CCI

CCI-000162

Version

SRG-APP-000118-UEM-000068

Vuln IDs

V-234341

Rule IDs

SV-234341r960930_rule

If audit data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult if not impossible to achieve. In addition, access to audit records provides information an attacker could potentially use to his or her advantage. To ensure the veracity of audit data, the information system and/or the application must protect audit information from any and all unauthorized access. This includes read, write, and copy access. This requirement can be achieved through multiple methods, which will depend upon system architecture and design. Commonly employed methods for protecting audit information include least privilege permissions as well as restricting the location and number of log file repositories. Additionally, applications with user interfaces to audit records must not allow for the unfettered manipulation of or access to those records via the application. If the application provides access to the audit data, the application becomes accountable for ensuring audit information is protected from unauthorized access. Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. Satisfies:FIA_UAU.1.2, FMT_SMR.1.1(1)

Checks: C-37526r614033_chk

Verify the UEM server protects audit information from any type of unauthorized read access. If the UEM server does not protect audit information from any type of unauthorized read access, this is a finding

Fix: F-37491r614034_fix

Configure the UEM server to protect audit information from any type of unauthorized read access.

b

The UEM server must protect audit information from unauthorized modification.

AU-9 - Medium - CCI-000163 - V-234342 - SV-234342r960933_rule

RMF Control

AU-9

Severity

M

CCI

CCI-000163

Version

SRG-APP-000119-UEM-000069

Vuln IDs

V-234342

Rule IDs

SV-234342r960933_rule

If audit data were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. To ensure the veracity of audit data, the information system and/or the application must protect audit information from unauthorized modification. This requirement can be achieved through multiple methods, which will depend upon system architecture and design. Some commonly employed methods include ensuring log files receive the proper file system permissions, and limiting log data locations. Applications providing a user interface to audit data will leverage user permissions and roles identifying the user accessing the data and the corresponding rights that the user enjoys in order to make access decisions regarding the modification of audit data. Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. Satisfies:FIA_UAU.1.2, FMT_SMR.1.1(1)

Checks: C-37527r614036_chk

Verify the UEM server protects audit information from unauthorized modification. If the UEM server does not protect audit information from unauthorized modification, this is a finding.

Fix: F-37492r614037_fix

Configure the UEM server to protect audit information from unauthorized modification.

b

The UEM server must protect audit information from unauthorized deletion.

AU-9 - Medium - CCI-000164 - V-234343 - SV-234343r960936_rule

RMF Control

AU-9

Severity

M

CCI

CCI-000164

Version

SRG-APP-000120-UEM-000070

Vuln IDs

V-234343

Rule IDs

SV-234343r960936_rule

If audit data were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. To ensure the veracity of audit data, the information system and/or the application must protect audit information from unauthorized deletion. This requirement can be achieved through multiple methods, which will depend upon system architecture and design. Some commonly employed methods include: ensuring log files receive the proper file system permissions utilizing file system protections, restricting access, and backing up log data to ensure log data is retained. Applications providing a user interface to audit data will leverage user permissions and roles identifying the user accessing the data and the corresponding rights the user enjoys in order make access decisions regarding the deletion of audit data. Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. Audit information may include data from other applications or be included with the audit application itself. Satisfies:FIA_UAU.1.2, FMT_SMR.1.1(1)

Checks: C-37528r614039_chk

Verify the UEM server protects audit information from unauthorized deletion. If the UEM server does not protect audit information from unauthorized deletion, this is a finding

Fix: F-37493r614040_fix

Configure the UEM server to protect audit information from unauthorized deletion.

b

The UEM server must back up audit records at least every seven days onto a log management server.

AU-9 - Medium - CCI-001348 - V-234347 - SV-234347r960948_rule

RMF Control

AU-9

Severity

M

CCI

CCI-001348

Version

SRG-APP-000125-UEM-000074

Vuln IDs

V-234347

Rule IDs

SV-234347r960948_rule

Protection of log data includes ensuring log data is not accidentally lost or deleted. Backing up audit records to a different system or onto separate media than the system being audited on an organizationally defined frequency helps ensure, in the event of a catastrophic system failure, the audit records will be retained. This helps to ensure a compromise of the information system being audited does not also result in a compromise of the audit records. This requirement only applies to applications that have a native backup capability for audit records. Operating system backup requirements cover applications that do not provide native backup functions. Satisfies:FAU_STG_EXT.1.1, FMT_SMF.1.1(2) Refinement b

Checks: C-37532r614051_chk

Verify the UEM server backs up audit records at least every seven days onto a log management server. If the UEM server does not back up audit records at least every seven days onto a log management server, this is a finding.

Fix: F-37497r614052_fix

Configure the UEM server to back up audit records at least every seven days onto a log management server.

b

The UEM server must prevent the installation of patches, service packs, or application components without verification the software component has been digitally signed using a certificate that is recognized and approved by the organization.

Medium - CCI-003992 - V-234349 - SV-234349r985741_rule

RMF Control

Severity

M

CCI

CCI-003992

Version

SRG-APP-000131-UEM-000076

Vuln IDs

V-234349

Rule IDs

SV-234349r985741_rule

Changes to any software components can have significant effects on the overall security of the application. Verifying software components have been digitally signed using a certificate that is recognized and approved by the organization ensures the software has not been tampered with and that it has been provided by a trusted vendor. Accordingly, patches, service packs, or application components must be signed with a certificate recognized and approved by the organization. Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. The application should not have to verify the software again. This requirement does not mandate DOD certificates for this purpose; however, the certificate used to verify the software must be from an approved certificate authority (CA). Satisfies:FIA_X509_EXT.1.1(1)

Checks: C-37534r614057_chk

Verify the UEM server prevents the installation of patches, service packs, or application components without verification the software component has been digitally signed using a certificate that is recognized and approved by the organization. If the UEM server does not prevent the installation of patches, service packs, or application components without verification the software component has been digitally signed using a certificate that is recognized and approved by the organization, this is a finding.

Fix: F-37499r614058_fix

Configure the UEM server to prevent the installation of patches, service packs, or application components without verification the software component has been digitally signed using a certificate that is recognized and approved by the organization.

b

The UEM server must limit privileges to change the software resident within software libraries.

CM-5 - Medium - CCI-001499 - V-234351 - SV-234351r960960_rule

RMF Control

CM-5

Severity

M

CCI

CCI-001499

Version

SRG-APP-000133-UEM-000078

Vuln IDs

V-234351

Rule IDs

SV-234351r960960_rule

If the application were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to applications with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs, which execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. Satisfies:FMT_SMR.1.1(1), FPT_TUD_EXT.1.2

Checks: C-37536r614063_chk

Verify the UEM server limits privileges to change the software resident within software libraries. If the UEM server does not limit privileges to change the software resident within software libraries, this is a finding.

Fix: F-37501r614064_fix

Configure the UEM server to limit privileges to change the software resident within software libraries.

b

The UEM server must be configured to disable non-essential capabilities.

CM-7 - Medium - CCI-000381 - V-234352 - SV-234352r960963_rule

RMF Control

CM-7

Severity

M

CCI

CCI-000381

Version

SRG-APP-000141-UEM-000079

Vuln IDs

V-234352

Rule IDs

SV-234352r960963_rule

It is detrimental for applications to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Applications are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Examples of non-essential capabilities include, but are not limited to, advertising software or browser plug-ins not related to requirements or providing a wide array of functionality not required for every mission, but cannot be disabled. Satisfies:FMT_SMF.1.1(2) c.2 Reference:PP-MDM-411064

Checks: C-37537r614066_chk

Verify the UEM server has disabled non-essential capabilities. If the UEM server has not disabled non-essential capabilities, this is a finding.

Fix: F-37502r614067_fix

Configure the UEM server to be configured to disable non-essential capabilities.

b

The firewall protecting the UEM server platform must be configured so only DoD-approved ports, protocols, and services are enabled. (See the DoD Ports, Protocols, Services Management [PPSM] Category Assurance Levels [CAL] list for DoD-approved ports, protocols, and services).

CM-7 - Medium - CCI-000382 - V-234353 - SV-234353r960966_rule

RMF Control

CM-7

Severity

M

CCI

CCI-000382

Version

SRG-APP-000142-UEM-000080

Vuln IDs

V-234353

Rule IDs

SV-234353r960966_rule

All ports, protocols, and services used on DoD networks must be approved and registered via the DoD PPSM process. This is to ensure a risk assessment has been completed before a new port, protocol, or service is configured on a DoD network and has been approved by proper DoD authorities. Otherwise, the new port, protocol, or service could cause a vulnerability to the DoD network, which could be exploited by an adversary. Satisfies:FMT_SMF.1.1(2) Refinement b Reference:PP-MDM-431006

Checks: C-37538r614069_chk

Verify the firewall protecting the UEM server platform is configured so that only DoD-approved ports, protocols, and services are enabled. (See the DoD PPSM CAL list for DoD-approved ports, protocols, and services). If the firewall protecting the UEM server platform is not configured so that only DoD-approved ports, protocols, and services are enabled, this is a finding.

Fix: F-37503r614070_fix

Configure the firewall protecting the UEM server platform so that only DoD-approved ports, protocols, and services are enabled. (See the DoD PPSM CAL list for DoD-approved ports, protocols, and services).

b

The UEM server must be configured to use only documented platform APIs.

CM-7 - Medium - CCI-000382 - V-234354 - SV-234354r960966_rule

RMF Control

CM-7

Severity

M

CCI

CCI-000382

Version

SRG-APP-000142-UEM-000081

Vuln IDs

V-234354

Rule IDs

SV-234354r960966_rule

Authenticity protection provides protection against man-in-the-middle attacks/session hijacking and the insertion of false information into sessions. Application communication sessions are protected utilizing transport encryption protocols, such as TLS. TLS provides web applications with a means to authenticate user sessions and encrypt application traffic. Session authentication can be single (one-way) or mutual (two-way) in nature. Single authentication authenticates the server for the client, whereas mutual authentication provides a means for both the client and the server to authenticate each other. This requirement applies to applications that utilize communications sessions. This includes, but is not limited to, web-based applications and Service-Oriented Architectures (SOA). This requirement addresses communications protection at the application session, versus the network packet, and establishes grounds for confidence at both ends of communications sessions in ongoing identities of other parties and in the validity of information transmitted. Depending on the required degree of confidentiality and integrity, web services/SOA will require the use of TLS mutual authentication (two-way/bidirectional). Satisfies:FPT_API_EXT.1.1

Checks: C-37539r614072_chk

Verify the UEM server uses only documented platform APIs. If the UEM server does not use only documented platform APIs, this is a finding.

Fix: F-37504r614073_fix

Configure the UEM server to be configured to use only documented platform APIs.

b

The UEM server must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).

IA-2 - Medium - CCI-000764 - V-234355 - SV-234355r960969_rule

RMF Control

IA-2

Severity

M

CCI

CCI-000764

Version

SRG-APP-000148-UEM-000082

Vuln IDs

V-234355

Rule IDs

SV-234355r960969_rule

To ensure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. Organizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors). Organizational users (and any processes acting on behalf of users) must be uniquely identified and authenticated for all accesses, except the following. (i) Accesses explicitly identified and documented by the organization. Organizations document specific user actions that can be performed on the information system without identification or authentication; and (ii) Accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals in group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity. Satisfies: FIA Reference:PP-MDM-414003

Checks: C-37540r614075_chk

Requirement is Not Applicable when UEM server is configured to use DoD Central Directory Service for administrator account authentication. Verify the UEM server uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users). If the UEM server does not uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users), this is a finding.

Fix: F-37505r614076_fix

Configure the UEM server to uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).

b

The UEM server must be configured to use a DoD Central Directory Service to provide multifactor authentication for network access to privileged and non-privileged accounts.

IA-2 - Medium - CCI-000765 - V-234356 - SV-234356r960972_rule

RMF Control

IA-2

Severity

M

CCI

CCI-000765

Version

SRG-APP-000149-UEM-000083

Vuln IDs

V-234356

Rule IDs

SV-234356r960972_rule

A comprehensive account management process that includes automation helps to ensure the accounts designated as requiring attention are consistently and promptly addressed. If an attacker compromises an account, the entire MDM server infrastructure is at risk. Providing automated support functions for the management of accounts will ensure only active accounts will be granted access with the proper authorization levels. These objectives are best achieved by configuring the MDM server to leverage an enterprise authentication mechanism (e.g., Microsoft Active Directory Kerberos). Satisfies: FIA Reference:PP-MDM-414003

Checks: C-37541r614078_chk

Verify the UEM server uses a DoD Central Directory Service to provide multifactor authentication for network access to privileged and non-privileged accounts. If the UEM server does not use a DoD Central Directory Service to provide multifactor authentication for network access to privileged and non-privileged accounts, this is a finding.

Fix: F-37506r614079_fix

Configure the UEM server to use a DoD Central Directory Service to provide multifactor authentication for network access to privileged and non-privileged accounts.

b

All UEM server local accounts created during application installation and configuration must be removed. Note: In this context local accounts refers to user and or administrator accounts on the server that use user name and password for user access and authentication.

IA-2 - Medium - CCI-000765 - V-234358 - SV-234358r985742_rule

RMF Control

IA-2

Severity

M

CCI

CCI-000765

Version

SRG-APP-000151-UEM-000085

Vuln IDs

V-234358

Rule IDs

SV-234358r985742_rule

A comprehensive account management process that includes automation helps to ensure the accounts designated as requiring attention are consistently and promptly addressed. If an attacker compromises an account, the entire MDM server infrastructure is at risk. Providing automated support functions for the management of accounts will ensure only active accounts will be granted access with the proper authorization levels. These objectives are best achieved by configuring the MDM server to leverage an enterprise authentication mechanism (e.g., Microsoft Active Directory Kerberos). Satisfies:FMT_SMF.1.1(2) b / IA-5(1)(a) Reference:PP-MDM-431007

Checks: C-37543r985679_chk

Verify all UEM server local accounts created during application installation and configuration have been removed. Note: In this context, "local" accounts refers to user and or administrator accounts on the server that use user name and password for user access and authentication. If all UEM server local accounts created during application installation and configuration have not been removed, this is a finding.

Fix: F-37508r985680_fix

Remove all UEM server local accounts created during application installation. Note: In this context, "local" accounts refers to user and or administrator accounts on the server that use user name and password for user access and authentication.

b

The UEM server must ensure users are authenticated with an individual authenticator prior to using a group authenticator.

Medium - CCI-004045 - V-234360 - SV-234360r985744_rule

RMF Control

Severity

M

CCI

CCI-004045

Version

SRG-APP-000153-UEM-000087

Vuln IDs

V-234360

Rule IDs

SV-234360r985744_rule

To ensure individual accountability and prevent unauthorized access, application users must be individually identified and authenticated. Individual accountability mandates that each user is uniquely identified. A group authenticator is a shared account or some other form of authentication that allows multiple unique individuals to access the application using a single account. If an application allows or provides for group authenticators, it must first individually authenticate users prior to implementing group authenticator functionality. Some applications may not have the need to provide a group authenticator; this is considered a matter of application design. In those instances where the application design includes the use of a group authenticator, this requirement will apply. There may also be instances when specific user actions need to be performed on the information system without unique user identification or authentication. An example of this type of access is a web server which contains publicly releasable information. Satisfies: FIA Reference:PP-MDM-414003

Checks: C-37545r985683_chk

Requirement is Not Applicable when UEM server is configured to use DOD Central Directory Service for administrator account authentication. Verify the UEM server ensures users are authenticated with an individual authenticator prior to using a group authenticator. If the UEM server does not ensure users are authenticated with an individual authenticator prior to using a group authenticator, this is a finding.

Fix: F-37510r614091_fix

Configure the UEM server to ensure users are authenticated with an individual authenticator prior to using a group authenticator.

b

The UEM server must be configured to use DOD PKI for multifactor authentication. This requirement is included in SRG-APP-000149.

Medium - CCI-004046 - V-234361 - SV-234361r985745_rule

RMF Control

Severity

M

CCI

CCI-004046

Version

SRG-APP-000154-UEM-000088

Vuln IDs

V-234361

Rule IDs

SV-234361r985745_rule

Using an authentication device, such as a common access card (CAC) or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device. Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards, such as the U.S. Government Personal Identity Verification card and the DOD CAC. A privileged account is any information system account with authorizations of a privileged user. Network access is any access to an application by a user (or process acting on behalf of a user) where said access is obtained through a network connection.

Checks: C-37546r985685_chk

Verify the UEM server uses DOD PKI for multifactor authentication. If the UEM server does not use DOD PKI for multifactor authentication, this is a finding.

Fix: F-37511r985686_fix

Configure the UEM server to use DOD PKI for multifactor authentication.

c

The UEM server must use FIPS-validated SHA-2 or higher hash function to provide replay-resistant authentication mechanisms for network access to privileged accounts.

IA-2 - High - CCI-001941 - V-234363 - SV-234363r960993_rule

RMF Control

IA-2

Severity

H

CCI

CCI-001941

Version

SRG-APP-000156-UEM-000090

Vuln IDs

V-234363

Rule IDs

SV-234363r960993_rule

A replay attack may enable an unauthorized user to gain access to the application. Authentication sessions between the authenticator and the application validating the user credentials must not be vulnerable to a replay attack. Anti-replay is a cryptographically based mechanism; thus, it must use FIPS-approved algorithms. An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message. Note that the anti-replay service is implicit when data contains monotonically increasing sequence numbers and data integrity is assured. Use of DoD PKI is inherently compliant with this requirement for user and device access. Use of Transport Layer Security (TLS), including application protocols, such as HTTPS and DNSSEC, that use TLS/SSL as the underlying security protocol is also complaint. Note: Although allowed by SP800-131Ar1 for some applications, SHA-1 is considered a compromised hashing standard and is being phased out of use by industry and government standards. Configure the information system to use the hash message authentication code (HMAC) algorithm for authentication services to Kerberos, SSH, web management tool, and any other access method. Satisfies: FIA Reference:PP-MDM-414003

Checks: C-37548r614099_chk

Requirement is Not Applicable when UEM server is configured to use DoD Central Directory Service for administrator account authentication. Verify the UEM server uses FIPS-validated SHA-2 or higher hash function to provide replay-resistant authentication mechanisms for network access to privileged accounts. If the UEM server does not use FIPS-validated SHA-2 or higher hash function to provide replay-resistant authentication mechanisms for network access to privileged accounts, this is a finding.

Fix: F-37513r614100_fix

Configure the UEM server to use FIPS-validated SHA-2 or higher hash function to provide replay-resistant authentication mechanisms for network access to privileged accounts.

b

The UEM server must implement replay-resistant authentication mechanisms for network access to nonprivileged accounts.

IA-2 - Medium - CCI-001941 - V-234364 - SV-234364r985747_rule

RMF Control

IA-2

Severity

M

CCI

CCI-001941

Version

SRG-APP-000157-UEM-000091

Vuln IDs

V-234364

Rule IDs

SV-234364r985747_rule

A replay attack may enable an unauthorized user to gain access to the application. Authentication sessions between the authenticator and the application validating the user credentials must not be vulnerable to a replay attack. An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message. A nonprivileged account is any operating system account with authorizations of a nonprivileged user. Techniques used to address this include protocols using nonces (e.g., numbers generated for a specific one-time use) or challenges (e.g., TLS, WS_Security). Additional techniques include time-synchronous or challenge-response one-time authenticators. Satisfies: FIA Reference:PP-MDM-414003

Checks: C-37549r985689_chk

Requirement is Not Applicable when UEM server is configured to use DOD Central Directory Service for administrator account authentication. Verify the UEM server implements replay-resistant authentication mechanisms for network access to nonprivileged accounts. If the UEM server does not implement replay-resistant authentication mechanisms for network access to non-privileged accounts, this is a finding.

Fix: F-37514r985690_fix

Configure the UEM server to implement replay-resistant authentication mechanisms for network access to nonprivileged accounts.

b

The UEM server must enforce a minimum 15-character password length.

Medium - CCI-004066 - V-234367 - SV-234367r985748_rule

RMF Control

Severity

M

CCI

Version

SRG-APP-000164-UEM-000094

Vuln IDs

V-234367

Rule IDs

SV-234367r985748_rule

The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password. Satisfies:FMT_SMF.1(2)b Reference:PP-MDM-431018

Checks: C-37552r614111_chk

Verify the UEM server enforces a minimum 15-character password length. If the UEM server does not enforce a minimum 15-character password length, this is a finding.

Fix: F-37517r614112_fix

Configure the UEM server to enforce a minimum 15-character password length.

b

The UEM server must prohibit password reuse for a minimum of five generations.

Medium - CCI-004061 - V-234368 - SV-234368r985749_rule

RMF Control

Severity

M

CCI

CCI-004061

Version

SRG-APP-000165-UEM-000095

Vuln IDs

V-234368

Rule IDs

SV-234368r985749_rule

Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. To meet password policy requirements, passwords need to be changed at specific policy-based intervals. If the information system or application allows the user to consecutively reuse their password when that password has exceeded its defined lifetime, the end result is a password that is not changed as per policy requirements. Satisfies:FMT_SMF.1(2)b Reference:PP-MDM-431025

Checks: C-37553r614114_chk

Verify the UEM server prohibits password reuse for a minimum of five generations. If the UEM server does not prohibit password reuse for a minimum of five generations, this is a finding.

Fix: F-37518r614115_fix

Configure the UEM server to prohibit password reuse for a minimum of five generations.

b

The UEM server must enforce password complexity by requiring that at least one uppercase character be used.

Medium - CCI-004066 - V-234369 - SV-234369r985750_rule

RMF Control

Severity

M

CCI

Version

SRG-APP-000166-UEM-000096

Vuln IDs

V-234369

Rule IDs

SV-234369r985750_rule

Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password is, the greater the number of possible combinations that need to be tested before the password is compromised. Satisfies:FMT_SMF.1(2)b Reference:PP-MDM-431020

Checks: C-37554r614117_chk

Verify the UEM server enforces password complexity by requiring that at least one uppercase character be used. If the UEM server does not enforce password complexity by requiring that at least one uppercase character be used, this is a finding.

Fix: F-37519r614118_fix

Configure the UEM server to enforce password complexity by requiring that at least one uppercase character be used.

b

The UEM server must enforce password complexity by requiring that at least one lowercase character be used.

Medium - CCI-004066 - V-234370 - SV-234370r985751_rule

RMF Control

Severity

M

CCI

Version

SRG-APP-000167-UEM-000097

Vuln IDs

V-234370

Rule IDs

SV-234370r985751_rule

Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Satisfies:FMT_SMF.1(2)b Reference:PP-MDM-431019

Checks: C-37555r614120_chk

Verify the UEM server enforces password complexity by requiring that at least one lowercase character be used. If the UEM server does not enforce password complexity by requiring that at least one lowercase character be used, this is a finding.

Fix: F-37520r614121_fix

Configure the UEM server to enforce password complexity by requiring that at least one lowercase character be used.

b

The UEM server must enforce password complexity by requiring that at least one numeric character be used.

Medium - CCI-004066 - V-234371 - SV-234371r985752_rule

RMF Control

Severity

M

CCI

Version

SRG-APP-000168-UEM-000098

Vuln IDs

V-234371

Rule IDs

SV-234371r985752_rule

Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Satisfies:FMT_SMF.1(2)b Reference:PP-MDM-431021

Checks: C-37556r614123_chk

Verify the UEM server enforces password complexity by requiring that at least one numeric character be used. If the UEM server does not enforce password complexity by requiring that at least one numeric character be used, this is a finding.

Fix: F-37521r614124_fix

Configure the UEM server to enforce password complexity by requiring that at least one numeric character be used.

b

The UEM server must enforce password complexity by requiring that at least one special character be used.

Medium - CCI-004066 - V-234372 - SV-234372r985753_rule

RMF Control

Severity

M

CCI

Version

SRG-APP-000169-UEM-000099

Vuln IDs

V-234372

Rule IDs

SV-234372r985753_rule

Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor in determining how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Special characters are those characters that are not alphanumeric. Examples include: ~ ! @ # $ % ^ *. Satisfies:FMT_SMF.1(2)b Reference:PP-MDM-431022

Checks: C-37557r614126_chk

Verify the UEM server enforces password complexity by requiring that at least one special character be used. If the UEM server does not enforce password complexity by requiring that at least one special character be used, this is a finding.

Fix: F-37522r614127_fix

Configure the UEM server to enforce password complexity by requiring that at least one special character be used.

b

The UEM server must require the change of at least 15 of the total number of characters when passwords are changed.

Medium - CCI-004066 - V-234373 - SV-234373r985754_rule

RMF Control

Severity

M

CCI

Version

SRG-APP-000170-UEM-000100

Vuln IDs

V-234373

Rule IDs

SV-234373r985754_rule

If the application allows the user to consecutively reuse extensive portions of passwords, this increases the chances of password compromise by increasing the window of opportunity for attempts at guessing and brute-force attacks. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. In other words, characters may be the same within the two passwords; however, the positions of the like characters must be different.

Checks: C-37558r614129_chk

Verify the UEM server requires the change of at least 15 of the total number of characters when passwords are changed. If the UEM server does not require the change of at least 15 of the total number of characters when passwords are changed, this is a finding.

Fix: F-37523r614130_fix

Configure the UEM server to require the change of at least 15 of the total number of characters when passwords are changed.

b

For UEM server using password authentication, the application must store only cryptographic representations of passwords.

Medium - CCI-004062 - V-234374 - SV-234374r985755_rule

RMF Control

Severity

M

CCI

CCI-004062

Version

SRG-APP-000171-UEM-000101

Vuln IDs

V-234374

Rule IDs

SV-234374r985755_rule

Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read and easily compromised. Use of passwords for authentication is intended only for limited situations and should not be used as a replacement for two-factor CAC-enabled authentication. Examples of situations where a user ID and password might be used include: - When the user does not use a common access card (CAC) and is not a current DOD employee, member of the military, or DOD contractor. - When a user has been officially designated as temporarily unable to present a CAC for some reason (lost, damaged, not yet issued, broken card reader) (i.e., Temporary Exception User) and to satisfy urgent organizational needs must be temporarily permitted to use user ID/password authentication until the problem with CAC use has been remedied. - When the application is publicly available and or hosting publicly releasable data requiring some degree of need-to-know protection. If the password is already encrypted and not a plaintext password, this meets this requirement. Implementation of this requirement requires configuration of FIPS-approved cipher block algorithm and block cipher modes for encryption. This method uses a one-way hashing encryption algorithm with a salt value to validate a user's password without having to store the actual password. Performance and time required to access are factors that must be considered, and the one-way hash is the most feasible means of securing the password and providing an acceptable measure of password security. Verifying the user knows a password is performed using a password verifier. In its simplest form, a password verifier is a computational function that is capable of creating a hash of a password and determining if the value provided by the user matches the hash. A more secure version of verifying a user knowing a password is to store the result of an iterating hash function and a large random salt value as follows: H0 = H(pwd, H(salt)) Hn = H(Hn-1,H(salt)) In the above, "n" is a cryptographically-strong random [*3] number. "Hn" is stored along with the salt. When the application wishes to verify that the user knows a password, it simply repeats the process and compares "Hn" with the stored "Hn". A salt is essentially a fixed-length cryptographically strong random value. Another method is using a keyed-hash message authentication code (HMAC). HMAC calculates a message authentication code via a cryptographic hash function used in conjunction with an encryption key. The key must be protected as with any private key. This requirement applies to all accounts including authentication server, AAA, and local account, including the root account and the account of last resort. Satisfies:FMT_SMF.1(2)b Reference:PP-MDM-431008

Checks: C-37559r614132_chk

If the UEM server is using password authentication, verify the server stores only cryptographic representations of passwords. If the UEM server is using password authentication but does not store only cryptographic representations of passwords, this is a finding.

Fix: F-37524r614133_fix

For a UEM server using password authentication, configure the server to store only cryptographic representations of passwords.

c

For UEM server using password authentication, the network element must use FIPS-validated SHA-2 or later protocol to protect the integrity of the password authentication process.

IA-5 - High - CCI-000197 - V-234375 - SV-234375r961029_rule

RMF Control

IA-5

Severity

H

CCI

CCI-000197

Version

SRG-APP-000172-UEM-000102

Vuln IDs

V-234375

Rule IDs

SV-234375r961029_rule

Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. The information system must specify the hash algorithm used for authenticating passwords. Implementation of this requirement requires configuration of FIPS-approved cipher block algorithm and block cipher modes for encryption. Note: Although allowed by SP800-131Ar1 for some applications, SHA-1 is considered a compromised hashing standard and is being phased out of use by industry and government standards. Unless required for legacy use, DoD systems must not be configured to use SHA-1 for integrity of remote access sessions. This requirement applies to all accounts, including authentication server; Authorization, Authentication, and Accounting (AAA); and local accounts such as the root account and the account of last resort. This requirement only applies to components where this is specific to the function of the device (e.g., TLS VPN or ALG). This does not apply to authentication for the purpose of configuring the device itself (management). Satisfies:FIA_ENR_EXT.1.1, FCS_COP.1.1(2) Refinement

Checks: C-37560r614135_chk

For UEM server using password authentication, verify the network element uses FIPS-validated SHA-2 or later protocol to protect the integrity of the password authentication process. If UEM server using password authentication but the network element does not use FIPS-validated SHA-2 or later protocol to protect the integrity of the password authentication process, this is a finding.

Fix: F-37525r614136_fix

For a UEM server using password authentication, configure the network element to use FIPS-validated SHA-2 or later protocol to protect the integrity of the password authentication process.

b

The UEM server must enforce a 60-day maximum password lifetime restriction.

Medium - CCI-004066 - V-234377 - SV-234377r985756_rule

RMF Control

Severity

M

CCI

Version

SRG-APP-000174-UEM-000104

Vuln IDs

V-234377

Rule IDs

SV-234377r985756_rule

Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed at specific intervals. One method of minimizing this risk is to use complex passwords and periodically change them. If the application does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the system and/or application passwords could be compromised. This requirement does not include emergency administration accounts, which are meant for access to the application in case of failure. These accounts are not required to have maximum password lifetime restrictions. Satisfies:FMT_SMF.1(2)b Reference:PP-MDM-431024

Checks: C-37562r614141_chk

Verify the UEM server enforces a 60-day maximum password lifetime restriction. If the UEM server does not enforce a 60-day maximum password lifetime restriction, this is a finding.

Fix: F-37527r614142_fix

Configure the UEM server to enforce a 60-day maximum password lifetime restriction.

b

When using PKI-based authentication for user access, the UEM server must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.

IA-5 - Medium - CCI-000185 - V-234378 - SV-234378r961038_rule

RMF Control

IA-5

Severity

M

CCI

CCI-000185

Version

SRG-APP-000175-UEM-000105

Vuln IDs

V-234378

Rule IDs

SV-234378r961038_rule

Without path validation, an informed trust decision by the relying party cannot be made when presented with any certificate not already explicitly trusted. To meet this requirement, the information system must create trusted channels between itself and remote trusted authorized IT product (e.g., syslog server) entities that protect the confidentiality and integrity of communications. The information system must create trusted paths between itself and remote administrators and users that protect the confidentiality and integrity of communications. A trust anchor is an authoritative entity represented via a public key and associated data. It is most often used in the context of public key infrastructures, X.509 digital certificates, and DNSSEC. However, applications that do not use a trusted path are not approved for non-local and remote management of DoD information systems. Use of SSHv2 to establish a trusted channel is approved. Use of FTP, TELNET, HTTP, and SNMPV1 is not approved since they violate the trusted channel rule set. Use of web management tools that are not validated by common criteria my also violate trusted channel rule set. When there is a chain of trust, usually the top entity to be trusted becomes the trust anchor; it can be, for example, a Certification Authority (CA). A certification path starts with the subject certificate and proceeds through a number of intermediate certificates up to a trusted root certificate, typically issued by a trusted CA. This requirement verifies that a certification path to an accepted trust anchor is used for certificate validation and that the path includes status information. Path validation is necessary for a relying party to make an informed trust decision when presented with any certificate not already explicitly trusted. Status information for certification paths includes certificate revocation lists or online certificate status protocol responses. Validation of the certificate status information is out of scope for this requirement. Satisfies:FIA_X509_EXT.1.1(1), FIA_X509_EXT.2.1, FIA_X509_EXT.2.2

Checks: C-37563r614144_chk

Requirement is Not Applicable when UEM server is configured to use DoD Central Directory Service for administrator account authentication. When using PKI-based authentication for user access, verify the UEM server validates certificates by constructing a certification path (which includes status information) to an accepted trust anchor. If the UEM server uses PKI-based authentication for user access but does not validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor, this is a finding.

Fix: F-37528r614145_fix

When using PKI-based authentication for user access, configure the UEM server to validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.

b

When the UEM server cannot establish a connection to determine the validity of a certificate, the server must be configured not to have the option to accept the certificate.

IA-5 - Medium - CCI-000185 - V-234379 - SV-234379r961038_rule

RMF Control

IA-5

Severity

M

CCI

CCI-000185

Version

SRG-APP-000175-UEM-000106

Vuln IDs

V-234379

Rule IDs

SV-234379r961038_rule

When an UEM server accepts an unverified certificate, it may be trusting a malicious actor. For example, messages signed with an invalid certificate may contain links to malware, which could lead to the installation or distribution of that malware on DoD information systems, leading to compromise of DoD sensitive information and other attacks. Satisfies:FIA_X509_EXT.2.2 Reference:PP-MDM-412003

Checks: C-37564r614147_chk

Verify the UEM server does not automatically accept a certificate when it cannot establish a connection to determine the validity of a certificate. If the UEM server automatically accepts a certificate when it cannot establish a connection to determine the validity of a certificate, this is a finding.

Fix: F-37529r614148_fix

Configure the UEM server to not automatically accept a certificate when it cannot establish a connection to determine the validity of a certificate.

b

The UEM server, when using PKI-based authentication, must enforce authorized access to the corresponding private key.

IA-5 - Medium - CCI-000186 - V-234380 - SV-234380r961041_rule

RMF Control

IA-5

Severity

M

CCI

CCI-000186

Version

SRG-APP-000176-UEM-000107

Vuln IDs

V-234380

Rule IDs

SV-234380r961041_rule

If the private key is discovered, an attacker can use the key to authenticate as an authorized user and gain access to the network infrastructure. The cornerstone of the PKI is the private key used to encrypt or digitally sign information. If the private key is stolen, this will lead to the compromise of the authentication and non-repudiation gained through PKI because the attacker can use the private key to digitally sign documents and pretend to be the authorized user. Both the holders of a digital certificate and the issuing authority must protect the computers, storage devices, or whatever they use to keep the private keys. Satisfies:FIA_X509_EXT.1.1(1)

Checks: C-37565r614150_chk

Requirement is Not Applicable when UEM server is configured to use DoD Central Directory Service for administrator account authentication. Verify the he UEM server, when using PKI-based authentication, enforces authorized access to the corresponding private key. If the UEM server, when using PKI-based authentication, does not enforce authorized access to the corresponding private key, this is a finding

Fix: F-37530r614151_fix

Configure the UEM server, when using PKI-based authentication, to enforce authorized access to the corresponding private key.

b

The UEM server must map the authenticated identity to the individual user or group account for PKI-based authentication.

IA-5 - Medium - CCI-000187 - V-234381 - SV-234381r961044_rule

RMF Control

IA-5

Severity

M

CCI

CCI-000187

Version

SRG-APP-000177-UEM-000108

Vuln IDs

V-234381

Rule IDs

SV-234381r961044_rule

Without mapping the certificate used to authenticate to the user account, the ability to determine the identity of the individual user or group will not be available for forensic analysis. Satisfies: FIA Reference:PP-MDM-414003

Checks: C-37566r614153_chk

Requirement is Not Applicable when UEM server is configured to use DoD Central Directory Service for administrator account authentication. Verify the UEM server maps the authenticated identity to the individual user or group account for PKI-based authentication. If the UEM server does not map the authenticated identity to the individual user or group account for PKI-based authentication, this is a finding.

Fix: F-37531r614154_fix

Configure the UEM server to map the authenticated identity to the individual user or group account for PKI-based authentication.

b

The UEM server must obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.

IA-6 - Medium - CCI-000206 - V-234382 - SV-234382r961047_rule

RMF Control

IA-6

Severity

M

CCI

CCI-000206

Version

SRG-APP-000178-UEM-000109

Vuln IDs

V-234382

Rule IDs

SV-234382r961047_rule

To prevent the compromise of authentication information such as passwords during the authentication process, the feedback from the information system must not provide any information that would allow an unauthorized user to compromise the authentication mechanism. Obfuscation of user-provided information when typed into the system is a method used in addressing this risk. For example, displaying asterisks when a user types in a password is an example of obscuring feedback of authentication information. Satisfies:FMT_SMF.1(2)b Reference:PP-MDM-431026

Checks: C-37567r614156_chk

Verify the UEM server obscures feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals. If the UEM server does not obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals, this is a finding.

Fix: F-37532r614157_fix

Configure the UEM server to obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.

c

The UEM server must use FIPS-validated SHA-2 or higher hash function to protect the integrity of keyed-hash message authentication code (HMAC), Key Derivation Functions (KDFs), Random Bit Generation, and hash-only applications.

IA-7 - High - CCI-000803 - V-234383 - SV-234383r961050_rule

RMF Control

IA-7

Severity

H

CCI

CCI-000803

Version

SRG-APP-000179-UEM-000110

Vuln IDs

V-234383

Rule IDs

SV-234383r961050_rule

Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Nonlocal maintenance and diagnostic activities are activities conducted by individuals communicating through either an external network (e.g., the internet) or an internal network. Note: Although allowed by SP800-131Ar1 for some applications, SHA-1 is considered a compromised hashing standard and is being phased out of use by industry and government standards. Unless required for legacy use, DoD systems should not be configured to use SHA-1 for integrity of remote access sessions. To protect the integrity of the authenticator and authentication mechanism used for the cryptographic module used by the network device, the application, operating system, or protocol must be configured to use one of the following hash functions for hashing the password or other authenticator in accordance with SP 800-131Ar1: SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-512/256, SHA3-224, SHA3-256, SHA3-384, and SHA3-512. Applications also include HMAC, KDFs, Random Bit Generation, and hash-only applications (e.g., hashing passwords and use for compute a checksum). For digital signature verification, SP800-131Ar1 allows SHA-1 for legacy use only, but this is discouraged by DoD. Separate requirements for configuring applications and protocols used by each product (e.g., SNMPv3, SSH, NTP, and other protocols and applications that require server/client authentication) are required to implement this requirement. Satisfies:FCS_COP.1.1(2)

Checks: C-37568r614159_chk

Verify the UEM server uses FIPS-validated SHA-2 or higher hash function to protect the integrity of keyed-hash message authentication code (HMAC), Key Derivation Functions (KDFs), Random Bit Generation, and hash-only applications. If the UEM server does not use FIPS-validated SHA-2 or higher hash function to protect the integrity of keyed-hash message authentication code (HMAC), Key Derivation Functions (KDFs), Random Bit Generation, and hash-only applications, this is a finding.

Fix: F-37533r614160_fix

Configure the UEM server to use FIPS-validated SHA-2 or higher hash function to protect the integrity of keyed-hash message authentication code (HMAC), Key Derivation Functions (KDFs), Random Bit Generation, and hash-only applications.

b

The UEM server must protect the authenticity of communications sessions.

SC-23 - Medium - CCI-001184 - V-234405 - SV-234405r961110_rule

RMF Control

SC-23

Severity

M

CCI

CCI-001184

Version

SRG-APP-000219-UEM-000132

Vuln IDs

V-234405

Rule IDs

SV-234405r961110_rule

Authenticity protection provides protection against man-in-the-middle attacks/session hijacking and the insertion of false information into sessions. Application communication sessions are protected utilizing transport encryption protocols, such as TLS. TLS provides web applications with a means to be able to authenticate user sessions and encrypt application traffic. Session authentication can be single (one-way) or mutual (two-way) in nature. Single authentication authenticates the server for the client, whereas mutual authentication provides a means for both the client and the server to authenticate each other. This requirement applies to applications that utilize communications sessions. This includes, but is not limited to, web-based applications and Service-Oriented Architectures (SOA). This requirement addresses communications protection at the application session, versus the network packet, and establishes grounds for confidence at both ends of communications sessions in ongoing identities of other parties and in the validity of information transmitted. Depending on the required degree of confidentiality and integrity, web services/SOA will require the use of TLS mutual authentication (two-way/bidirectional). Satisfies:FIA_ENR_EXT.1.1, FTP_TRP.1.1(2), FTP_TRP.1.1(1)

Checks: C-37590r614225_chk

Verify the UEM server protects the authenticity of communications sessions. If the UEM server does not protect the authenticity of communications sessions, this is a finding.

Fix: F-37555r614226_fix

Configure the UEM server to protect the authenticity of communications sessions.

b

The UEM server must invalidate session identifiers upon user logout or other session termination.

SC-23 - Medium - CCI-001185 - V-234406 - SV-234406r961113_rule

RMF Control

SC-23

Severity

M

CCI

CCI-001185

Version

SRG-APP-000220-UEM-000133

Vuln IDs

V-234406

Rule IDs

SV-234406r961113_rule

Captured sessions can be reused in "replay" attacks. This requirement limits the ability of adversaries from capturing and continuing to employ previously valid session IDs. This requirement focuses on communications protection for the application session rather than for the network packet. This requirement applies to applications that utilize communications sessions. This includes, but is not limited to, web-based applications and Service-Oriented Architectures (SOA). Session IDs are tokens generated by web applications to uniquely identify an application user's session. Applications will make application decisions and execute business logic based on the session ID. Unique session identifiers or IDs are the opposite of sequentially generated session IDs, which can be easily guessed by an attacker. Unique session IDs help to reduce predictability of said identifiers. When a user logs out, or when any other session termination event occurs, the application must terminate the user session to minimize the potential for an attacker to hijack that particular user session.

Checks: C-37591r614228_chk

Verify the UEM server invalidates session identifiers upon user logout or other session termination. If the UEM server does not invalidate session identifiers upon user logout or other session termination, this is a finding.

Fix: F-37556r614229_fix

Configure the UEM server to invalidate session identifiers upon user logout or other session termination.

b

The UEM server must recognize only system-generated session identifiers.

SC-23 - Medium - CCI-001664 - V-234407 - SV-234407r961116_rule

RMF Control

SC-23

Severity

M

CCI

CCI-001664

Version

SRG-APP-000223-UEM-000134

Vuln IDs

V-234407

Rule IDs

SV-234407r961116_rule

Applications utilize sessions and session identifiers to control application behavior and user access. If an attacker can guess the session identifier, or can inject or manually insert session information, the session may be compromised. Unique session IDs address man-in-the-middle attacks, including session hijacking or insertion of false information into a session. If the attacker is unable to identify or guess the session information related to pending application traffic, they will have more difficulty in hijacking the session or otherwise manipulating valid sessions. This requirement focuses on communications protection for the application session rather than for the network packet. This requirement applies to applications that utilize communications sessions. This includes, but is not limited to, web-based applications and Service-Oriented Architectures (SOA).

Checks: C-37592r614231_chk

Verify the UEM server recognizes only system-generated session identifiers. If the UEM server does not recognize only system-generated session identifiers, this is a finding.

Fix: F-37557r614232_fix

Configure the UEM server to recognize only system-generated session identifiers.

c

The UEM server must generate unique session identifiers using a FIPS-validated Random Number Generator (RNG) based on the Deterministic Random Bit Generators (DRBG) algorithm.

SC-23 - High - CCI-001188 - V-234408 - SV-234408r961119_rule

RMF Control

SC-23

Severity

H

CCI

CCI-001188

Version

SRG-APP-000224-UEM-000135

Vuln IDs

V-234408

Rule IDs

SV-234408r961119_rule

Sequentially generated session IDs can be easily guessed by an attacker. Employing the concept of randomness in the generation of unique session identifiers helps to protect against brute-force attacks to determine future session identifiers. Unique session IDs address man-in-the-middle attacks, including session hijacking or insertion of false information into a session. If the attacker is unable to identify or guess the session information related to pending application traffic, they will have more difficulty in hijacking the session or otherwise manipulating valid sessions. The DRBGs Hash_DRBG, HMAC_DRBG, and CTR_DRBG are recommended for use with RNGs. This requirement is applicable to devices that use a web interface for device management. Satisfies:FCS_RBG_EXT.1.1, FIA_UAU.1.1, FIA_UAU.1.2

Checks: C-37593r614234_chk

Verify the UEM server generates unique session identifiers using a FIPS-validated RNG based on the DRBG algorithm. If the UEM server does not generate unique session identifiers using a FIPS-validated RNG based on the DRBG algorithm, this is a finding.

Fix: F-37558r614235_fix

Configure the UEM server to generate unique session identifiers using a FIPS-validated RNG based on the DRBG algorithm.

b

The UEM server must fail to a secure state if system initialization fails, shutdown fails, or aborts fail.

SC-24 - Medium - CCI-001190 - V-234409 - SV-234409r961122_rule

RMF Control

SC-24

Severity

M

CCI

CCI-001190

Version

SRG-APP-000225-UEM-000136

Vuln IDs

V-234409

Rule IDs

SV-234409r961122_rule

Failure to a known safe state helps prevent systems from failing to a state that may cause loss of data or unauthorized access to system resources. Applications or systems that fail suddenly and with no incorporated failure state planning may leave the hosting system available but with a reduced security protection capability. Preserving information system state information also facilitates system restart and return to the operational mode of the organization with less disruption of mission-essential processes. In general, application security mechanisms should be designed so that a failure will follow the same execution path as disallowing the operation. For example, security methods, such as isAuthorized(), isAuthenticated(), and validate(), should all return false if there is an exception during processing. If security controls can throw exceptions, they must be very clear about exactly what that condition means. Abort refers to stopping a program or function before it has finished naturally. The term abort refers to both requested and unexpected terminations. Satisfies:FPT_TST_EXT.1.2

Checks: C-37594r614237_chk

Verify the UEM server fails to a secure state if system initialization fails, shutdown fails, or aborts fail. If the UEM server does not fail to a secure state if system initialization fails, shutdown fails, or aborts fail, this is a finding.

Fix: F-37559r614238_fix

Configure the UEM server to fail to a secure state if system initialization fails, shutdown fails, or aborts fail.

b

In the event of a system failure, the UEM server must preserve any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to mission processes.

SC-24 - Medium - CCI-001665 - V-234410 - SV-234410r961125_rule

RMF Control

SC-24

Severity

M

CCI

CCI-001665

Version

SRG-APP-000226-UEM-000137

Vuln IDs

V-234410

Rule IDs

SV-234410r961125_rule

Failure to a known state can address safety or security in accordance with the mission/business needs of the organization. Failure to a known secure state helps prevent a loss of confidentiality, integrity, or availability in the event of a failure of the information system or a component of the system. Preserving application state information helps to facilitate application restart and return to the operational mode of the organization with less disruption to mission-essential processes. Satisfies:FAU_GEN.1.1(1)

Checks: C-37595r614240_chk

Verify the UEM server preserves any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to mission processes, in the event of a system failure. If the UEM server does not preserve any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to mission processes, in the event of a system failure, this is a finding.

Fix: F-37560r617413_fix

Configure the UEM server to preserve any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to mission processes, in the event of a system failure.

b

The UEM server must check the validity of all data inputs.

SI-10 - Medium - CCI-001310 - V-234421 - SV-234421r961158_rule

RMF Control

SI-10

Severity

M

CCI

CCI-001310

Version

SRG-APP-000251-UEM-000148

Vuln IDs

V-234421

Rule IDs

SV-234421r961158_rule

Invalid user input occurs when a user inserts data or characters into an application's data entry fields and the application is unprepared to process that data. This results in unanticipated application behavior, potentially leading to an application or information system compromise. Invalid input is one of the primary methods employed when attempting to compromise an application. Checking the valid syntax and semantics of information system inputs (e.g., character set, length, numerical range, and acceptable values) verifies that inputs match specified definitions for format and content. Software applications typically follow well-defined protocols that use structured messages (i.e., commands or queries) to communicate between software modules or system components. Structured messages can contain raw or unstructured data interspersed with metadata or control information. If software applications use attacker-supplied inputs to construct structured messages without properly encoding such messages, then the attacker could insert malicious commands or special characters that can cause the data to be interpreted as control information or metadata. Consequently, the module or component that receives the tainted output will perform the wrong operations or otherwise interpret the data incorrectly. Prescreening inputs prior to passing to interpreters prevents the content from being unintentionally interpreted as commands. Input validation helps to ensure accurate and correct inputs and prevent attacks such as cross-site scripting and a variety of injection attacks.

Checks: C-37606r617398_chk

Verify the UEM server checks the validity of all data inputs. If the UEM server does not check the validity of all data inputs, this is a finding.

Fix: F-37571r614274_fix

Configure the UEM server to check the validity of all data inputs.

b

The UEM server must generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.

SI-11 - Medium - CCI-001312 - V-234424 - SV-234424r961167_rule

RMF Control

SI-11

Severity

M

CCI

CCI-001312

Version

SRG-APP-000266-UEM-000151

Vuln IDs

V-234424

Rule IDs

SV-234424r961167_rule

Any application providing too much information in error messages risks compromising the data and security of the application and system. The structure and content of error messages needs to be carefully considered by the organization and development team. Organizations carefully consider the structure/content of error messages. The extent to which information systems are able to identify and handle error conditions is guided by organizational policy and operational requirements. Information that could be exploited by adversaries includes, for example, erroneous logon attempts with passwords entered by mistake as the username, mission/business information that can be derived from (if not stated explicitly by) information recorded, and personal information, such as account numbers, social security numbers, and credit card numbers. Satisfies:FAU_ALT_EXT.1.1, FPT_TST_EXT.1, FAU_GEN.1.2(1), FIA_UAU.1.2, FMT_SMR.1.1(1)

Checks: C-37609r614282_chk

Verify the UEM server generates error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries. If the UEM server does not generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries, this is a finding.

Fix: F-37574r614283_fix

Configure the UEM server to generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.

b

The UEM server must reveal error messages only to the Information System Security Manager (ISSM) and Information System Security Officer (ISSO).

SI-11 - Medium - CCI-001314 - V-234425 - SV-234425r961170_rule

RMF Control

SI-11

Severity

M

CCI

CCI-001314

Version

SRG-APP-000267-UEM-000152

Vuln IDs

V-234425

Rule IDs

SV-234425r961170_rule

Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the application. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. Satisfies:FPT_TST_EXT.1, FAU_GEN.1.2(1), FIA_UAU.1.2, FMT_SMR.1.1(1)

Checks: C-37610r614285_chk

Verify the UEM server reveals error messages only to the ISSM and ISSO. If the UEM server does not reveal error messages only to the ISSM and ISSO, this is a finding.

Fix: F-37575r614286_fix

Configure the UEM server to reveal error messages only to the ISSM and ISSO.

b

The application must notify the Information System Security Manager (ISSM) and Information System Security Officer (ISSO) of failed security verification tests.

SI-6 - Medium - CCI-001294 - V-234430 - SV-234430r961185_rule

RMF Control

SI-6

Severity

M

CCI

CCI-001294

Version

SRG-APP-000275-UEM-000157

Vuln IDs

V-234430

Rule IDs

SV-234430r961185_rule

If personnel are not notified of failed security verification tests, they will not be able to take corrective action and the unsecure condition(s) will remain. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. Notifications provided by information systems include messages to local computer consoles, and/or hardware indications, such as lights. This requirement applies to applications performing security functions and the applications performing security function verification/testing. Satisfies:FAU_ALT_EXT.1.1, FAU_GEN.1.1(1), FMT_SMF.1.1(2)c.8 Reference:PP-MDM-411065, PP-MDM-412000

Checks: C-37615r614300_chk

Verify the UEM server notifies the ISSO and ISSM of failed security verification tests. If the UEM server does not notify the ISSO and ISSM of failed security verification tests, this is a finding.

Fix: F-37580r614301_fix

Configure the UEM server to notify the ISSO and ISSM of failed security verification tests.

b

The UEM server must notify system administrators (SAs) and the information system security officer (ISSO) when accounts are created.

AC-2 - Medium - CCI-000015 - V-234438 - SV-234438r985759_rule

RMF Control

AC-2

Severity

M

CCI

Version

SRG-APP-000291-UEM-000165

Vuln IDs

V-234438

Rule IDs

SV-234438r985759_rule

Once an attacker establishes access to an application, the attacker often attempts to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to simply create a new account. Sending notification of account creation events to the SA and ISSO is one method for mitigating this risk. To address access requirements, many application developers choose to integrate their applications with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. Such integration allows the application developer to off-load those access control functions and focus on core application features and functionality. Satisfies:FAU_ALT_EXT.1.1, FAU_GEN.1.1(1), FMT_SMF.1.1(2)c.8 Reference:PP-MDM-411065, PP-MDM-412000

Checks: C-37623r985703_chk

Requirement is Not Applicable when UEM server is configured to use DOD Central Directory Service for administrator account authentication. Verify the UEM server notify SAs and ISSO when accounts are created. If the UEM server does not notify SAs and the ISSO when accounts are created, this is a finding.

Fix: F-37588r985704_fix

Configure the UEM server to notify SA and the ISSO when accounts are created.

b

The UEM server must notify system administrators (SAs) and the information system security officer (ISSO) when accounts are modified.

AC-2 - Medium - CCI-000015 - V-234439 - SV-234439r985760_rule

RMF Control

AC-2

Severity

M

CCI

Version

SRG-APP-000292-UEM-000166

Vuln IDs

V-234439

Rule IDs

SV-234439r985760_rule

When application accounts are modified, user accessibility is affected. Accounts are utilized for identifying individual users or for identifying the application processes themselves. Sending notification of account modification events to the SA and ISSO is one method for mitigating this risk. Such a capability greatly reduces the risk that application accessibility will be negatively affected for extended periods of time and also provides logging that can be used for forensic purposes. To address access requirements, many operating systems can be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. Satisfies:FAU_ALT_EXT.1.1, FAU_GEN.1.1(1), FMT_SMF.1.1(2)c.8 Reference:PP-MDM-411065, PP-MDM-412000

Checks: C-37624r985706_chk

Requirement is Not Applicable when UEM server is configured to use DOD Central Directory Service for administrator account authentication. Verify the UEM server notifies SAs and the ISSO when accounts are modified. If the UEM server does not notify SAs and the ISSO when accounts are modified, this is a finding.

Fix: F-37589r985707_fix

Configure the UEM server to notify SAs and the ISSO when accounts are modified.

b

The UEM server must notify system administrators (SAs) and the information system security officer (ISSO) for account disabling actions.

AC-2 - Medium - CCI-000015 - V-234440 - SV-234440r985761_rule

RMF Control

AC-2

Severity

M

CCI

Version

SRG-APP-000293-UEM-000167

Vuln IDs

V-234440

Rule IDs

SV-234440r985761_rule

When application accounts are disabled, user accessibility is affected. Accounts are utilized for identifying individual users or for identifying the application processes themselves. Sending notification of account disabling events to the SA and ISSO is one method for mitigating this risk. Such a capability greatly reduces the risk that application accessibility will be negatively affected for extended periods of time and also provides logging that can be used for forensic purposes. To address access requirements, many operating systems can be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. Satisfies:FAU_ALT_EXT.1.1, FAU_GEN.1.1(1), FMT_SMF.1.1(2)c.8 Reference:PP-MDM-411065, PP-MDM-412000

Checks: C-37625r985709_chk

Requirement is Not Applicable when UEM server is configured to use DOD Central Directory Service for administrator account authentication. Verify the UEM server notifies SAs and the ISSO for account disabling actions. If the UEM server does not notify SAs and the ISSO for account disabling actions, this is a finding.

Fix: F-37590r985710_fix

Configure the UEM server to notify SAs and the ISSO for account disabling actions.

b

The UEM server must notify system administrators (SAs) and the information system security officer (ISSO) for account removal actions.

AC-2 - Medium - CCI-000015 - V-234441 - SV-234441r985762_rule

RMF Control

AC-2

Severity

M

CCI

Version

SRG-APP-000294-UEM-000168

Vuln IDs

V-234441

Rule IDs

SV-234441r985762_rule

When application accounts are removed, user accessibility is affected. Accounts are utilized for identifying users or for identifying the application processes themselves. Sending notification of account removal events to the SA and ISSO is one method for mitigating this risk. Such a capability greatly reduces the risk that application accessibility will be negatively affected for extended periods of time and also provides logging that can be used for forensic purposes. To address access requirements, many operating systems can be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. Satisfies:FAU_ALT_EXT.1.1, FAU_GEN.1.1(1), FMT_SMF.1.1(2)c.8 Reference:PP-MDM-411065, PP-MDM-412000

Checks: C-37626r985712_chk

Requirement is Not Applicable when UEM server is configured to use DOD Central Directory Service for administrator account authentication. Verify the UEM server notifies SAs and the ISSO for account removal actions. If the UEM server does not notify SAs and the ISSO for account removal actions, this is a finding.

Fix: F-37591r985713_fix

Configure the UEM server to notify SAs and the ISSO for account removal actions.

b

The UEM server must automatically terminate a user session after an organization-defined period of user inactivity.

AC-12 - Medium - CCI-002361 - V-234442 - SV-234442r961221_rule

RMF Control

AC-12

Severity

M

CCI

CCI-002361

Version

SRG-APP-000295-UEM-000169

Vuln IDs

V-234442

Rule IDs

SV-234442r961221_rule

Automatic session termination addresses the termination of user-initiated logical sessions in contrast to the termination of network connections that are associated with communications sessions (i.e., network disconnect). A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational information system. Such user sessions can be terminated (and thus terminate user access) without terminating network sessions. Session termination terminates all processes associated with a user's logical session except those processes that are specifically created by the user (i.e., session owner) to continue after the session is terminated. Conditions or trigger events requiring automatic session termination can include, for example, organization-defined periods of user inactivity, targeted responses to certain types of incidents, and time-of-day restrictions on information system use. This capability is typically reserved for specific application system functionality where the system owner, data owner, or organization requires additional assurance. Based upon requirements and events specified by the data or application owner, the application developer must incorporate logic into the application that will provide a control mechanism that disconnects users upon the defined event trigger. The methods for incorporating this requirement will be determined and specified on a case-by-case basis during the application design and development stages. Satisfies:FMT_SMF.1.1(2) b Reference:PP-MDM-431014

Checks: C-37627r614336_chk

Verify the UEM server automatically terminates a user session after an organization-defined period of user inactivity. If the UEM server does not automatically terminate a user session after an organization-defined period of user inactivity, this is a finding.

Fix: F-37592r614337_fix

Configure the UEM server to automatically terminate a user session after an organization-defined period of user inactivity.

b

The UEM server must provide logout capability for user-initiated communication sessions.

AC-12 - Medium - CCI-002363 - V-234443 - SV-234443r961224_rule

RMF Control

AC-12

Severity

M

CCI

CCI-002363

Version

SRG-APP-000296-UEM-000170

Vuln IDs

V-234443

Rule IDs

SV-234443r961224_rule

If a user cannot explicitly end an application session, the session may remain open and be exploited by an attacker; this is referred to as a zombie session. Information resources to which users gain access via authentication include, for example, local workstations, databases, and password-protected websites/web-based services. However, for some types of interactive sessions including, for example, file transfer protocol (FTP) sessions, information systems typically send logout messages as final messages prior to terminating sessions. Satisfies:FMT_SMF.1.1(2) b Reference:PP-MDM-431015

Checks: C-37628r614339_chk

Verify the UEM server provides a logout capability for user-initiated communication sessions. If the UEM server does not provide a logout capability for user-initiated communication sessions, this is a finding.

Fix: F-37593r614340_fix

Configure the UEM server to provide a logout capability for user-initiated communication sessions.

b

The UEM server must display an explicit logout message to users indicating the reliable termination of authenticated communications sessions.

AC-12 - Medium - CCI-002364 - V-234444 - SV-234444r961227_rule

RMF Control

AC-12

Severity

M

CCI

CCI-002364

Version

SRG-APP-000297-UEM-000171

Vuln IDs

V-234444

Rule IDs

SV-234444r961227_rule

If a user cannot explicitly end an application session, the session may remain open and be exploited by an attacker; this is referred to as a zombie session. Users need to be aware of whether or not the session has been terminated. Information resources to which users gain access via authentication include, for example, local workstations, databases, and password-protected websites/web-based services. Logout messages for web page access, for example, can be displayed after authenticated sessions have been terminated. However, for some types of interactive sessions including, for example, file transfer protocol (FTP) sessions, information systems typically send logout messages as final messages prior to terminating sessions.

Checks: C-37629r614342_chk

Verify the UEM server displays an explicit logout message to users indicating the reliable termination of authenticated communications sessions. If the UEM server does not display an explicit logout message to users indicating the reliable termination of authenticated communications sessions, this is a finding.

Fix: F-37594r614343_fix

Configure the UEM server to display an explicit logout message to users indicating the reliable termination of authenticated communications sessions.

b

The UEM server must automatically audit account-enabling actions.

AC-2 - Medium - CCI-002130 - V-234465 - SV-234465r961290_rule

RMF Control

AC-2

Severity

M

CCI

CCI-002130

Version

SRG-APP-000319-UEM-000192

Vuln IDs

V-234465

Rule IDs

SV-234465r961290_rule

Once an attacker establishes access to an application, the attacker often attempts to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to simply enable a new or disabled account. Automatically auditing account enabling actions provides logging that can be used for forensic purposes. To address access requirements, many application developers choose to integrate their applications with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. Such integration allows the application developer to off-load those access control functions and focus on core application features and functionality. Satisfies:FAU_ALT_EXT.1.1, FAU_GEN.1.1(1), FMT_SMF.1.1(2)c.8 Reference:PP-MDM-411065, PP-MDM-412000

Checks: C-37650r614405_chk

Requirement is Not Applicable when the UEM server is configured to use DoD Central Directory Service for administrator account authentication. Verify the UEM server automatically audits account enabling actions. If the UEM server does not automatically audit account enabling actions, this is a finding.

Fix: F-37615r614406_fix

Configure the UEM server to automatically audit account enabling actions.

b

The UEM server must notify system administrator (SA) and information system security officer (ISSO) of account enabling actions.

AC-2 - Medium - CCI-000015 - V-234466 - SV-234466r985764_rule

RMF Control

AC-2

Severity

M

CCI

Version

SRG-APP-000320-UEM-000193

Vuln IDs

V-234466

Rule IDs

SV-234466r985764_rule

Once an attacker establishes access to an application, the attacker often attempts to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to simply enable a new or disabled account. Sending notification of account enabling events to the SA and ISSO is one method for mitigating this risk. Such a capability greatly reduces the risk that application accessibility will be negatively affected for extended periods of time and also provides logging that can be used for forensic purposes. In order to detect and respond to events that affect user accessibility and application processing, applications must notify the appropriate individuals so they can investigate the event. To address access requirements, many application developers choose to integrate their applications with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. Such integration allows the application developer to off-load those access control functions and focus on core application features and functionality. Satisfies:FAU_ALT_EXT.1.1, FAU_GEN.1.1(1), FMT_SMF.1.1(2)c.8 Reference:PP-MDM-411065, PP-MDM-412000

Checks: C-37651r985716_chk

Requirement is Not Applicable when the UEM server is configured to use DOD Central Directory Service for administrator account authentication. Verify the UEM server notifies the SA and the ISSO of account enabling actions. If the UEM server does not notify the SA and the ISSO of account enabling actions, this is a finding.

Fix: F-37616r985717_fix

Configure the UEM server to notify SA and the ISSO of account enabling actions.

b

The UEM server must audit the execution of privileged functions.

AC-6 - Medium - CCI-002234 - V-234489 - SV-234489r961362_rule

RMF Control

AC-6

Severity

M

CCI

CCI-002234

Version

SRG-APP-000343-UEM-000216

Vuln IDs

V-234489

Rule IDs

SV-234489r961362_rule

Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse, and identify the risk from insider threats and the advanced persistent threat. Satisfies:FAU_GEN.1.1(1), b.

Checks: C-37674r615110_chk

Verify the UEM server audits the execution of privileged functions. If the UEM server does not audit the execution of privileged functions, this is a finding.

Fix: F-37639r615111_fix

Configure the UEM server to audit the execution of privileged functions.

b

The UEM server must automatically lock the account until the locked account is released by an administrator when three unsuccessful login attempts in 15 minutes are exceeded.

AC-7 - Medium - CCI-002238 - V-234491 - SV-234491r961368_rule

RMF Control

AC-7

Severity

M

CCI

CCI-002238

Version

SRG-APP-000345-UEM-000218

Vuln IDs

V-234491

Rule IDs

SV-234491r961368_rule

By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced. Limits are imposed by locking the account. Satisfies:FMT_SMF.1(2)b Reference:PP-MDM-431030

Checks: C-37676r851554_chk

Requirement is Not Applicable when UEM server is configured to use DoD Central Directory Service for administrator account authentication. Verify the UEM server automatically locks the account until the locked account is released by an administrator when three unsuccessful login attempts in 15 minutes are exceeded. If the UEM server does not automatically lock the account until the locked account is released by an administrator when three unsuccessful login attempts in 15 minutes are exceeded, this is a finding.

Fix: F-37641r615117_fix

Configure the UEM server to automatically lock the account until the locked account is released by an administrator when three unsuccessful login attempts in 15 minutes are exceeded.

b

The UEM server must be configured to transfer UEM server logs to another server for storage, analysis, and reporting. Note: UEM server logs include logs of UEM events and logs transferred to the UEM server by UEM agents of managed devices.

AU-4 - Medium - CCI-001851 - V-234500 - SV-234500r961395_rule

RMF Control

AU-4

Severity

M

CCI

CCI-001851

Version

SRG-APP-000358-UEM-000228

Vuln IDs

V-234500

Rule IDs

SV-234500r961395_rule

Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. Note: UEM server logs include logs of UEM events and logs transferred to the UEM server by UEM agents of managed devices. Satisfies:FMT_SMF.1.1(2) c.8, FAU_STG_EXT.1.1(1) Reference:PP-MDM-411054

Checks: C-37685r851564_chk

Verify the UEM server transfers UEM server logs to another server for storage, analysis, and reporting. If the UEM server does not transfer UEM server logs to another server for storage, analysis, and reporting, this is a finding. Note: UEM server logs include logs of UEM events and logs transferred to the UEM server by UEM agents of managed devices.

Fix: F-37650r615144_fix

Configure the UEM server to be configured to transfer UEM server logs to another server for storage, analysis, and reporting. Note: UEM server logs include logs of UEM events and logs transferred to the UEM server by UEM agents of managed devices.

b

The UEM server must be configured to record time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).

AU-8 - Medium - CCI-001890 - V-234516 - SV-234516r961443_rule

RMF Control

AU-8

Severity

M

CCI

CCI-001890

Version

SRG-APP-000374-UEM-000244

Vuln IDs

V-234516

Rule IDs

SV-234516r961443_rule

If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis. Time stamps generated by the application include date and time. Time is commonly expressed in UTC, a modern continuation of GMT, or local time with an offset from UTC. Satisfies:FAU_GEN.1.2(1)

Checks: C-37701r615191_chk

Verify the UEM server records time stamps for audit records that can be mapped to UTC or GMT. If the UEM server does not record time stamps for audit records that can be mapped to UTC or GMT, this is a finding.

Fix: F-37666r615192_fix

Configure the UEM server to be configured to record time stamps for audit records that can be mapped to UTC or GMT.

b

The UEM server must be configured to record time stamps for audit records that meet a granularity of one second for a minimum degree of precision.

AU-8 - Medium - CCI-001889 - V-234517 - SV-234517r961446_rule

RMF Control

AU-8

Severity

M

CCI

CCI-001889

Version

SRG-APP-000375-UEM-000245

Vuln IDs

V-234517

Rule IDs

SV-234517r961446_rule

Without sufficient granularity of time stamps, it is not possible to adequately determine the chronological order of records. Time stamps generated by the application include date and time. Granularity of time measurements refers to the degree of synchronization between information system clocks and reference clocks.

Checks: C-37702r851582_chk

Verify the UEM server records time stamps for audit records that meet a granularity of one second for a minimum degree of precision. If the UEM server does not record time stamps for audit records that meet a granularity of one second for a minimum degree of precision, this is a finding.

Fix: F-37667r615195_fix

Configure the UEM server to be configured to record time stamps for audit records that meet a granularity of one second for a minimum degree of precision.

b

The UEM server must prohibit user installation of software by an administrator without the appropriate assigned permission for software installation.

Medium - CCI-003980 - V-234520 - SV-234520r985770_rule

RMF Control

Severity

M

CCI

CCI-003980

Version

SRG-APP-000378-UEM-000248

Vuln IDs

V-234520

Rule IDs

SV-234520r985770_rule

Allowing regular users to install software, without explicit privileges, creates the risk that untested or potentially malicious software will be installed on the system. Explicit privileges (escalated or administrative privileges) provide the regular user with explicit capabilities and control that exceeds the rights of a regular user. Application functionality will vary, and while users are not permitted to install unapproved applications, there may be instances where the organization allows the user to install approved software packages such as from an approved software repository. The application must enforce software installation by users based upon what types of software installations are permitted (e.g., updates and security patches to existing software) and what types of installations are prohibited (e.g., software whose pedigree with regard to being potentially malicious is unknown or suspect) by the organization. This requirement applies, for example, to applications that provide the ability to extend application functionality (e.g., plug-ins, add-ons) and software management applications. Satisfies:FPT_TUD_EXT.1.2

Checks: C-37705r851587_chk

Verify the UEM server prohibits user installation of software by an administrator without the appropriate assigned permission for software installation. If the UEM server does not prohibit user installation of software by an administrator without the appropriate assigned permission for software installation, this is a finding.

Fix: F-37670r615204_fix

Configure the UEM server to prohibit user installation of software by an administrator without the appropriate assigned permission for software installation.

b

The UEM server must be configured to only allow enrolled devices that are compliant with UEM policies and assigned to a user in the application access group to download applications.

Medium - CCI-003980 - V-234521 - SV-234521r985771_rule

RMF Control

Severity

M

CCI

CCI-003980

Version

SRG-APP-000378-UEM-000249

Vuln IDs

V-234521

Rule IDs

SV-234521r985771_rule

If the application install policy is not enforced, malicious applications and vulnerable applications can be installed on managed mobile devices, which could compromise DOD data. Satisfies:FMT_MOF.1.1(3) Reference:PP-MDM-423206

Checks: C-37706r851589_chk

Verify the UEM server allows only enrolled devices that are compliant with UEM policies and assigned to a user in the application access group to download applications. If the UEM server does not allow only enrolled devices that are compliant with UEM policies and assigned to a user in the application access group to download applications, this is a finding.

Fix: F-37671r615207_fix

Configure the UEM server to allow only enrolled devices that are compliant with UEM policies and assigned to a user in the application access group to download applications.

b

The UEM server must enforce access restrictions associated with changes to the server configuration.

CM-5 - Medium - CCI-001813 - V-234523 - SV-234523r961461_rule

RMF Control

CM-5

Severity

M

CCI

CCI-001813

Version

SRG-APP-000380-UEM-000251

Vuln IDs

V-234523

Rule IDs

SV-234523r961461_rule

Failure to provide logical access restrictions associated with changes to application configuration may have significant effects on the overall security of the system. When dealing with access restrictions pertaining to change control, it should be noted that any changes to the hardware, software, and/or firmware components of the information system and/or application can potentially have significant effects on the overall security of the system. Accordingly, only qualified and authorized individuals should be allowed to obtain access to application components for the purposes of initiating changes, including upgrades and modifications. Logical access restrictions include, for example, controls that restrict access to workflow automation, media libraries, abstract layers (e.g., changes implemented into third-party interfaces rather than directly into information systems), and change windows (e.g., changes occur only during specified times, making unauthorized changes easy to discover). Satisfies:FMT_SMR.1.1(1)

Checks: C-37708r615212_chk

Verify the UEM server enforces access restrictions associated with changes to the server configuration. If the UEM server does not enforce access restrictions associated with changes to the server configuration, this is a finding.

Fix: F-37673r615213_fix

Configure the UEM server to enforce access restrictions associated with changes to the server configuration.

b

The UEM server must audit the enforcement actions used to restrict access associated with changes to the application.

Medium - CCI-003938 - V-234524 - SV-234524r985772_rule

RMF Control

Severity

M

CCI

CCI-003938

Version

SRG-APP-000381-UEM-000252

Vuln IDs

V-234524

Rule IDs

SV-234524r985772_rule

Without auditing the enforcement of access restrictions against changes to the application configuration, it will be difficult to identify attempted attacks and an audit trail will not be available for forensic investigation for after-the-fact actions. Enforcement actions are the methods or mechanisms used to prevent unauthorized changes to configuration settings. Enforcement action methods may be as simple as denying access to a file based on the application of file permissions (access restriction). Audit items may consist of lists of actions blocked by access restrictions or changes identified after the fact. Satisfies:FAU_ALT_EXT.1.1, FAU_GEN.1.1(1), FMT_SMF.1.1(2)c.8 Reference:PP-MDM-411065, PP-MDM-412000

Checks: C-37709r851593_chk

Verify the UEM server audits the enforcement actions used to restrict access associated with changes to the application. If the UEM server does not audit the enforcement actions used to restrict access associated with changes to the application, this is a finding.

Fix: F-37674r615216_fix

Configure the UEM server to audit the enforcement actions used to restrict access associated with changes to the application.

b

The UEM server must disable organization-defined functions, ports, protocols, and services (within the application) deemed unnecessary and/or non-secure.

CM-7 - Medium - CCI-001762 - V-234526 - SV-234526r961470_rule

RMF Control

CM-7

Severity

M

CCI

CCI-001762

Version

SRG-APP-000383-UEM-000254

Vuln IDs

V-234526

Rule IDs

SV-234526r961470_rule

Removal of unneeded or non-secure functions, ports, protocols, and services mitigate the risk of unauthorized connection of devices, unauthorized transfer of information, or other exploitation of these resources. Examples include unneeded listening ports. The organization must perform a periodic scan/review of the application (as required by CCI-000384) and disable functions, ports, protocols, and services deemed to be unneeded or non-secure. Satisfies:FMT_SMF.1.1(2) Refinement b Reference:PP-MDM-431006

Checks: C-37711r851596_chk

Verify the UEM server disables organization-defined functions, ports, protocols, and services (within the application) deemed unnecessary and/or non-secure. If the UEM server does not disable organization-defined functions, ports, protocols, and services (within the application) deemed unnecessary and/or non-secure, this is a finding.

Fix: F-37676r615222_fix

Configure the UEM server to disable organization-defined functions, ports, protocols, and services (within the application) deemed unnecessary and/or non-secure.

c

Before establishing a connection to any endpoint device being managed, the UEM server must establish a trusted path between the server and endpoint that provides assured identification of the end point using a bidirectional authentication mechanism configured with a FIPS-validated Advanced Encryption Standard (AES) cipher block algorithm to authenticate with the device.

IA-3 - High - CCI-001967 - V-234538 - SV-234538r961506_rule

RMF Control

IA-3

Severity

H

CCI

CCI-001967

Version

SRG-APP-000395-UEM-000266

Vuln IDs

V-234538

Rule IDs

SV-234538r961506_rule

Without device-to-device authentication, communications with malicious devices may be established. Bidirectional authentication provides stronger safeguards to validate the identity of other devices for connections that are of greater risk. Currently, DoD requires the use of AES for bidirectional authentication since it is the only FIPS-validated AES cipher block algorithm. For distributed architectures (e.g., service-oriented architectures), the decisions regarding the validation of authentication claims may be made by services separate from the services acting on those decisions. In such situations, it is necessary to provide authentication decisions (as opposed to the actual authenticators) to the services that need to act on those decisions. A local connection is any connection with a device communicating without the use of a network. A network connection is any connection with a device that communicates through a network (e.g., local area or wide area network; the internet). A remote connection is any connection with a device communicating through an external network (e.g., the internet). Because of the challenges of applying this requirement on a large scale, organizations are encouraged to apply the requirement only to those limited number (and type) of devices that truly need to support this capability. Satisfies:FIA_X509_EXT.1(1), FIA_ENR_EXT.1.1

Checks: C-37723r851610_chk

Verify the UEM server establishes a trusted path between the server and endpoint that provides assured identification of the end point using a bidirectional authentication mechanism configured with a FIPS-validated Advanced Encryption Standard (AES) cipher block algorithm to authenticate with the device before establishing a connection to any endpoint device being managed. If the UEM server does not establish a trusted path between the server and endpoint that provides assured identification of the end point using a bidirectional authentication mechanism configured with a FIPS-validated Advanced Encryption Standard (AES) cipher block algorithm to authenticate with the device before establishing a connection to any endpoint device being managed, this is a finding.

Fix: F-37688r878109_fix

Configure the UEM server to establish a trusted path between the server and endpoint that provides assured identification of the end point using a bidirectional authentication mechanism configured with a FIPS-validated Advanced Encryption Standard (AES) cipher block algorithm to authenticate with the device before establishing a connection to any endpoint device being managed.

b

The UEM server must prohibit the use of cached authenticators after an organization-defined time period.

IA-5 - Medium - CCI-002007 - V-234543 - SV-234543r961521_rule

RMF Control

IA-5

Severity

M

CCI

CCI-002007

Version

SRG-APP-000400-UEM-000271

Vuln IDs

V-234543

Rule IDs

SV-234543r961521_rule

If cached authentication information is out-of-date, the validity of the authentication information may be questionable. According to the CNSS 1253, the IA-5(13) control which is tied to this requirement is not defined at the DoD-level. The organization should specify this value based on numerous factors, including the application in question, the data it hosts and the associated exposures/risks.

Checks: C-37728r851617_chk

Requirement is Not Applicable when the UEM server is configured to use DoD Central Directory Service for administrator account authentication. Verify the UEM server prohibits the use of cached authenticators after an organization-defined time period. If the UEM server does not prohibit the use of cached authenticators after an organization-defined time period, this is a finding.

Fix: F-37693r615273_fix

Configure the UEM server to prohibit the use of cached authenticators after an organization-defined time period.

b

The UEM server, for PKI-based authentication, must implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network.

Medium - CCI-004068 - V-234544 - SV-234544r985774_rule

RMF Control

Severity

M

CCI

CCI-004068

Version

SRG-APP-000401-UEM-000272

Vuln IDs

V-234544

Rule IDs

SV-234544r985774_rule

Without configuring a local cache of revocation data, there is the potential to allow access to users who are no longer authorized (users with revoked certificates).

Checks: C-37729r851619_chk

Verify the UEM server, for PKI-based authentication, implements a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network. If the UEM server, for PKI-based authentication, does not implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network, this is a finding.

Fix: F-37694r615276_fix

Configure the UEM server to implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network for PKI-based authentication.

c

The UEM server must configure web management tools with FIPS-validated Advanced Encryption Standard (AES) cipher block algorithm to protect the confidentiality of maintenance and diagnostic communications for nonlocal maintenance sessions.

MA-4 - High - CCI-003123 - V-234555 - SV-234555r961557_rule

RMF Control

MA-4

Severity

H

CCI

CCI-003123

Version

SRG-APP-000412-UEM-000283

Vuln IDs

V-234555

Rule IDs

SV-234555r961557_rule

Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session. Nonlocal maintenance and diagnostic activities are activities conducted by individuals communicating through either an external network (e.g., the internet) or an internal network.

Checks: C-37740r851630_chk

Verify the UEM server web management tools use a FIPS-validated Advanced Encryption Standard (AES) cipher block algorithm to protect the confidentiality of maintenance and diagnostic communications for nonlocal maintenance sessions. If the UEM server web management tools do not use FIPS-validated Advanced Encryption Standard (AES) cipher block algorithms to protect the confidentiality of maintenance and diagnostic communications for nonlocal maintenance sessions, this is a finding.

Fix: F-37705r615309_fix

Configure the UEM server web management tools with a FIPS-validated Advanced Encryption Standard (AES) cipher block algorithm to protect the confidentiality of maintenance and diagnostic communications for nonlocal maintenance sessions.

b

The UEM server must verify remote disconnection when non-local maintenance and diagnostic sessions are terminated.

MA-4 - Medium - CCI-002891 - V-234556 - SV-234556r961560_rule

RMF Control

MA-4

Severity

M

CCI

CCI-002891

Version

SRG-APP-000413-UEM-000284

Vuln IDs

V-234556

Rule IDs

SV-234556r961560_rule

If the remote connection is not closed and verified as closed, the session may remain open and be exploited by an attacker; this is referred to as a zombie session. Remote connections must be disconnected and verified as disconnected when non-local maintenance sessions have been terminated and are no longer available for use.

Checks: C-37741r851632_chk

Verify the UEM server verifies remote disconnection when non-local maintenance and diagnostic sessions are terminated. If the UEM server does not verify remote disconnection when non-local maintenance and diagnostic sessions are terminated, this is a finding.

Fix: F-37706r615312_fix

Configure the UEM server to verify remote disconnection when non-local maintenance and diagnostic sessions are terminated.

b

The UEM server must only allow the use of DoD PKI established certificate authorities for verification of the establishment of protected sessions.

SC-23 - Medium - CCI-002470 - V-234573 - SV-234573r961596_rule

RMF Control

SC-23

Severity

M

CCI

Version

SRG-APP-000427-UEM-000298

Vuln IDs

V-234573

Rule IDs

SV-234573r961596_rule

Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DoD systems or by organizations with insufficient security controls. If the CA used for verifying the certificate is not a DoD-approved CA, trust of this CA has not been established. The DoD will only accept PKI certificates obtained from a DoD-approved internal or external certificate authority. Reliance on CAs for the establishment of secure sessions includes, for example, the use of TLS certificates. This requirement focuses on communications protection for the application session rather than for the network packet. This requirement applies to applications that utilize communications sessions. This includes, but is not limited to, web-based applications and Service-Oriented Architectures (SOA). Satisfies:FIA_X509_EXT.1.1(1)

Checks: C-37758r851645_chk

Verify the UEM server allows only DoD-PKI established certificate authorities for verification of the establishment of protected sessions. If the UEM server does not allow only DoD-PKI established certificate authorities for verification of the establishment of protected sessions, this is a finding.

Fix: F-37723r615354_fix

Configure the UEM server to allow only DoD-PKI established certificate authorities for verification of the establishment of protected sessions.

b

The UEM server must be configured to use X.509v3 certificates for code signing for system software updates.

SC-23 - Medium - CCI-002470 - V-234574 - SV-234574r961596_rule

RMF Control

SC-23

Severity

M

CCI

Version

SRG-APP-000427-UEM-000299

Vuln IDs

V-234574

Rule IDs

SV-234574r961596_rule

It is critical that the UEM server validate code signing certificates for key activities such as code signing for system software updates, code signing for integrity verification, and policy signing. Otherwise, there is no assurance that a malicious actor has not inserted itself in the process of packaging the code or policy. For example, messages signed with an invalid certificate may contain links to malware, which could lead to the installation or distribution of that malware on DoD information systems, leading to compromise of DoD sensitive information and other attacks. Therefore, the MDM server must have the capability to enforce a policy for this control. Satisfies:FMT_SMF.1.1(2) c.8, FIA_X509_EXT.2.1 Reference:PP-MDM-412002

Checks: C-37759r615356_chk

Verify the UEM server uses X.509v3 certificates for code signing for system software updates. If the UEM server does not use X.509v3 certificates for code signing for system software updates, this is a finding.

Fix: F-37724r615357_fix

Configure the UEM server to use X.509v3 certificates for code signing for system software updates.

b

The UEM server must be configured to use X.509v3 certificates for code signing for integrity verification.

SC-23 - Medium - CCI-002470 - V-234575 - SV-234575r961596_rule

RMF Control

SC-23

Severity

M

CCI

Version

SRG-APP-000427-UEM-000300

Vuln IDs

V-234575

Rule IDs

SV-234575r961596_rule

It is critical that the UEM server validate code signing certificates for key activities such as code signing for system software updates, code signing for integrity verification, and policy signing. Otherwise, there is no assurance that a malicious actor has not inserted itself in the process of packaging the code or policy. For example, messages signed with an invalid certificate may contain links to malware, which could lead to the installation or distribution of that malware on DoD information systems, leading to compromise of DoD sensitive information and other attacks. Therefore, the MDM server must have the capability to enforce a policy for this control. Satisfies:FMT_SMF.1.1(2) c.8, FIA_X509_EXT.2.1 Reference:PP-MDM-412002

Checks: C-37760r615359_chk

Verify the UEM server uses X.509v3 certificates for code signing for integrity verification. If the UEM server does not use X.509v3 certificates for code signing for integrity verification, this is a finding.

Fix: F-37725r615360_fix

Configure the UEM server to use X.509v3 certificates for code signing for integrity verification.

c

The UEM server must connect to [assignment: [list of applications]] and managed mobile devices with an authenticated and secure (encrypted) connection to protect the confidentiality and integrity of transmitted information.

SC-8 - High - CCI-002418 - V-234588 - SV-234588r961632_rule

RMF Control

SC-8

Severity

H

CCI

CCI-002418

Version

SRG-APP-000439-UEM-000313

Vuln IDs

V-234588

Rule IDs

SV-234588r961632_rule

Applications may include the following: update server, database, and enterprise directory service. Without protection of the transmitted information, confidentiality and integrity may be compromised since unprotected communications can be intercepted and either read or altered. This requirement applies only to those applications that are either distributed or can allow access to data non-locally. Use of this requirement will be limited to situations where the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process. When transmitting data, applications need to leverage transmission protection mechanisms, such as TLS, TLS VPNs, or IPSEC. Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa. This requirement applies to any application to which the server connects (for example SQL server, Active Directory). Satisfies:FMT_SMF.1.1(2) b, FTP_ITC.1.1(1), FTP_ITC.1.2(1), FTP_ITC.1.3(1) Reference:PP-MDM-431009

Checks: C-37773r851661_chk

Verify the UEM server connects to applications and managed mobile devices with an authenticated and secure (encrypted) connection to protect the confidentiality and integrity of transmitted information. If the UEM server does not connect to applications and managed mobile devices with an authenticated and secure (encrypted) connection to protect the confidentiality and integrity of transmitted information, this is a finding.

Fix: F-37738r615399_fix

Configure the UEM server to connect to applications and managed mobile devices with an authenticated and secure (encrypted) connection to protect the confidentiality and integrity of transmitted information.

b

The UEM server must be configured to write to the server event log when invalid inputs are received.

SI-10 - Medium - CCI-002754 - V-234596 - SV-234596r961656_rule

RMF Control

SI-10

Severity

M

CCI

CCI-002754

Version

SRG-APP-000447-UEM-000321

Vuln IDs

V-234596

Rule IDs

SV-234596r961656_rule

A common vulnerability of applications is unpredictable behavior when invalid inputs are received. This requirement guards against adverse or unintended system behavior caused by invalid inputs, where information system responses to the invalid input may be disruptive or cause the system to fail into an unsafe state. The behavior will be derived from the organizational and system requirements and includes, but is not limited to, notification of the appropriate personnel, creating an audit record, and rejecting invalid input. Satisfies:FPT_TST_EXT.1.2

Checks: C-37781r615422_chk

Verify the UEM server writes to the server event log when invalid inputs are received. If the UEM server does not write to the server event log when invalid inputs are received, this is a finding.

Fix: F-37746r615423_fix

Configure the UEM server to write to the server event log when invalid inputs are received.

b

The UEM server must remove old software components after updated versions have been installed.

SI-2 - Medium - CCI-002617 - V-234603 - SV-234603r961677_rule

RMF Control

SI-2

Severity

M

CCI

CCI-002617

Version

SRG-APP-000454-UEM-000328

Vuln IDs

V-234603

Rule IDs

SV-234603r961677_rule

Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by adversaries. Some information technology products may remove older versions of software automatically from the information system. If the update is due to a security issue with the old version of the app, the old version is not reinstalled. If rollback files are used by the server, they must be stored so as to not be easily accessible to the production system, or cannot be accidentally installed on the operational system, and then must be deleted after a short period of time defined by the organization.

Checks: C-37788r615443_chk

Verify the UEM server removes old software components after updated versions have been installed. If the UEM server does not remove old software components after updated versions have been installed, this is a finding.

Fix: F-37753r615444_fix

Configure the UEM server to remove old software components after updated versions have been installed.

c

The UEM server must be maintained at a supported version.

SI-2 - High - CCI-002605 - V-234605 - SV-234605r961683_rule

RMF Control

SI-2

Severity

H

CCI

CCI-002605

Version

SRG-APP-000456-UEM-000330

Vuln IDs

V-234605

Rule IDs

SV-234605r961683_rule

The UEM vendor maintains specific product versions for a specific period of time. MDM/EMM server versions no longer supported by the vendor will not receive security updates for new vulnerabilities, which leaves them subject to exploitation. Satisfies:FPT_TUD_EXT.1.1, FPT_TUD_EXT.1.2 Reference:PP-MDM-414005

Checks: C-37790r615449_chk

Verify the UEM server is maintained at a supported version. If the UEM server is not maintained at a supported version, this is a finding.

Fix: F-37755r615450_fix

Configure the UEM server to be maintained at a supported version.

b

The UEM server must be configured with the periodicity of the following commands to the agent of six hours or less: - query connectivity status - query the current version of the managed device firmware/software - query the current version of installed mobile applications - read audit logs kept by the managed device.

SI-6 - Medium - CCI-002696 - V-234622 - SV-234622r961731_rule

RMF Control

SI-6

Severity

M

CCI

CCI-002696

Version

SRG-APP-000472-UEM-000347

Vuln IDs

V-234622

Rule IDs

SV-234622r961731_rule

Without verification, security functions may not operate correctly and this failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. This requirement applies to applications performing security functions and the applications performing security function verification/testing. Satisfies:FAU_NET_EXT.1.1, FMT_SMF.1.1(2) c.3 Reference:PP-MDM-411057

Checks: C-37807r851696_chk

Verify the UEM server is configured with the periodicity of the following commands to the agent of six hours or less: - query connectivity status; - query the current version of the managed device firmware/software; - query the current version of installed mobile applications; - read audit logs kept by the managed device. If the UEM server is not configured with the periodicity of the following commands to the agent of six hours or less: - query connectivity status; - query the current version of the managed device firmware/software; - query the current version of installed mobile applications; - read audit logs kept by the managed device, this is a finding.

Fix: F-37772r878111_fix

Configure the UEM server with the periodicity of the following commands to the agent of six hours or less: - query connectivity status; - query the current version of the managed device firmware/software; - query the current version of installed mobile applications; - read audit logs kept by the managed device.

b

The UEM server must run a suite of self-tests during initial start-up (power on) to demonstrate correct operation of the server.

SI-6 - Medium - CCI-002699 - V-234623 - SV-234623r961734_rule

RMF Control

SI-6

Severity

M

CCI

CCI-002699

Version

SRG-APP-000473-UEM-000348

Vuln IDs

V-234623

Rule IDs

SV-234623r961734_rule

Without verification, security functions may not operate correctly and this failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. Notifications provided by information systems include, for example, electronic alerts to system administrators, messages to local computer consoles, and/or hardware indications, such as lights. This requirement applies to applications performing security functions and the applications performing security function verification/testing. Satisfies:FPT_TST_EXT.1.1

Checks: C-37808r851699_chk

Verify the UEM server runs a suite of self-tests during initial start-up (power on) to demonstrate correct operation of the server. If the UEM server does not run a suite of self-tests during initial start-up (power on) to demonstrate correct operation of the server, this is a finding.

Fix: F-37773r615504_fix

Configure the UEM server to run a suite of self-tests during initial start-up (power on) to demonstrate correct operation of the server.

b

The UEM server must alert the system administrator when anomalies in the operation of security functions are discovered.

SI-6 - Medium - CCI-002702 - V-234624 - SV-234624r961737_rule

RMF Control

SI-6

Severity

M

CCI

CCI-002702

Version

SRG-APP-000474-UEM-000349

Vuln IDs

V-234624

Rule IDs

SV-234624r961737_rule

If anomalies are not acted upon, security functions may fail to secure the system. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. Notifications provided by information systems include messages to local computer consoles, and/or hardware indications, such as lights. This requirement applies to applications performing security functions and the applications performing security function verification/testing. Satisfies:FAU_ALT_EXT.1.1 c.

Checks: C-37809r851701_chk

Verify the UEM server alerts the system administrator when anomalies in the operation of security functions are discovered. If the UEM server does not alert the system administrator when anomalies in the operation of security functions are discovered, this is a finding.

Fix: F-37774r615507_fix

Configure the UEM server to alert the system administrator when anomalies in the operation of security functions are discovered.

b

The UEM server must be configured to verify software updates to the server using a digital signature mechanism prior to installing those updates.

SI-7 - Medium - CCI-002740 - V-234629 - SV-234629r961752_rule

RMF Control

SI-7

Severity

M

CCI

CCI-002740

Version

SRG-APP-000479-UEM-000354

Vuln IDs

V-234629

Rule IDs

SV-234629r961752_rule

Unauthorized modifications to software or firmware may be indicative of a sophisticated, targeted cyber-attack. Cryptographic authentication includes, for example, verifying that software or firmware components have been digitally signed using certificates recognized and approved by organizations. Code signing is an effective method to protect against malicious code. Satisfies:FPT_TUD_EXT.1.3

Checks: C-37814r851707_chk

Verify the UEM server verifies software updates to the server using a digital signature mechanism prior to installing those updates. If the UEM server does not verify software updates to the server using a digital signature mechanism prior to installing those updates, this is a finding.

Fix: F-37779r615522_fix

Configure the UEM server to verify software updates to the server using a digital signature mechanism prior to installing those updates.

b

The UEM server must generate audit records when successful/unsuccessful attempts to access security objects occur.

AU-12 - Medium - CCI-000172 - V-234642 - SV-234642r961791_rule

RMF Control

AU-12

Severity

M

CCI

Version

SRG-APP-000492-UEM-000367

Vuln IDs

V-234642

Rule IDs

SV-234642r961791_rule

Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies:FAU_ALT_EXT.1.1, FAU_GEN.1.1(1), FMT_SMF.1.1(2)c.8 Reference:PP-MDM-411065, PP-MDM-412000

Checks: C-37827r616011_chk

Verify the UEM server generates audit records when successful/unsuccessful attempts to access security objects occur. If the UEM server does not generate audit records when successful/unsuccessful attempts to access security objects occur, this is a finding.

Fix: F-37792r615561_fix

Configure the UEM server to generate audit records when successful/unsuccessful attempts to access security objects occur.

b

The UEM server must generate audit records when successful/unsuccessful attempts to modify privileges occur.

AU-12 - Medium - CCI-000172 - V-234645 - SV-234645r961800_rule

RMF Control

AU-12

Severity

M

CCI

Version

SRG-APP-000495-UEM-000370

Vuln IDs

V-234645

Rule IDs

SV-234645r961800_rule

Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies:FAU_ALT_EXT.1.1, FAU_GEN.1.1(1), FMT_SMF.1.1(2)c.8 Reference:PP-MDM-411065, PP-MDM-412000

Checks: C-37830r617401_chk

Verify the UEM server generates audit records when successful/unsuccessful attempts to modify privileges occur. If the UEM server does not generate audit records when successful/unsuccessful attempts to modify privileges occur, this is a finding.

Fix: F-37795r615570_fix

Configure the UEM server to generate audit records when successful/unsuccessful attempts to modify privileges occur.

b

The UEM server must generate audit records when successful/unsuccessful attempts to modify security objects occur.

AU-12 - Medium - CCI-000172 - V-234646 - SV-234646r961803_rule

RMF Control

AU-12

Severity

M

CCI

Version

SRG-APP-000496-UEM-000371

Vuln IDs

V-234646

Rule IDs

SV-234646r961803_rule

Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies:FAU_ALT_EXT.1.1, FAU_GEN.1.1(1), FMT_SMF.1.1(2)c.8 Reference:PP-MDM-411065, PP-MDM-412000

Checks: C-37831r616013_chk

Verify the UEM server generates audit records when successful/unsuccessful attempts to modify security objects occur. If the UEM server does not generate audit records when successful/unsuccessful attempts to modify security objects occur, this is a finding.

Fix: F-37796r615573_fix

Configure the UEM server to generate audit records when successful/unsuccessful attempts to modify security objects occur.

b

The UEM server must generate audit records when successful/unsuccessful attempts to delete privileges occur.

AU-12 - Medium - CCI-000172 - V-234649 - SV-234649r961812_rule

RMF Control

AU-12

Severity

M

CCI

Version

SRG-APP-000499-UEM-000374

Vuln IDs

V-234649

Rule IDs

SV-234649r961812_rule

Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies:FAU_ALT_EXT.1.1, FAU_GEN.1.1(1), FMT_SMF.1.1(2)c.8 Reference:PP-MDM-411065, PP-MDM-412000

Checks: C-37834r615581_chk

Verify the UEM server generates audit records when successful/unsuccessful attempts to delete privileges occur. If the UEM server does not generate audit records when successful/unsuccessful attempts to delete privileges occur, this is a finding.

Fix: F-37799r615582_fix

Configure the UEM server to generate audit records when successful/unsuccessful attempts to delete privileges occur.

b

The UEM server must generate audit records when successful/unsuccessful attempts to delete security objects occur.

AU-12 - Medium - CCI-000172 - V-234651 - SV-234651r961818_rule

RMF Control

AU-12

Severity

M

CCI

Version

SRG-APP-000501-UEM-000376

Vuln IDs

V-234651

Rule IDs

SV-234651r961818_rule

Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies:FAU_ALT_EXT.1.1, FAU_GEN.1.1(1), FMT_SMF.1.1(2)c.8 Reference:PP-MDM-411065, PP-MDM-412000

Checks: C-37836r616015_chk

Verify the UEM server generates audit records when successful/unsuccessful attempts to delete security objects occur. If the UEM server does not generate audit records when successful/unsuccessful attempts to delete security objects occur, this is a finding.

Fix: F-37801r615588_fix

Configure the UEM server to generate audit records when successful/unsuccessful attempts to delete security objects occur.

b

The UEM server must generate audit records when successful/unsuccessful logon attempts occur.

AU-12 - Medium - CCI-000172 - V-234653 - SV-234653r961824_rule

RMF Control

AU-12

Severity

M

CCI

Version

SRG-APP-000503-UEM-000378

Vuln IDs

V-234653

Rule IDs

SV-234653r961824_rule

Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies:FAU_ALT_EXT.1.1, FAU_GEN.1.1(1), FMT_SMF.1.1(2)c.8 Reference:PP-MDM-411065, PP-MDM-412000

Checks: C-37838r615593_chk

Verify the UEM server generates audit records when successful/unsuccessful logon attempts occur. If the UEM server does not generate audit records when successful/unsuccessful logon attempts occur, this is a finding.

Fix: F-37803r615594_fix

Configure the UEM server to generate audit records when successful/unsuccessful logon attempts occur.

b

The UEM server must generate audit records for privileged activities or other system-level access.

AU-12 - Medium - CCI-000172 - V-234654 - SV-234654r961827_rule

RMF Control

AU-12

Severity

M

CCI

Version

SRG-APP-000504-UEM-000379

Vuln IDs

V-234654

Rule IDs

SV-234654r961827_rule

Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies:FAU_ALT_EXT.1.1, FAU_GEN.1.1(1), FMT_SMF.1.1(2)c.8 Reference:PP-MDM-411065, PP-MDM-412000

Checks: C-37839r615596_chk

Verify the UEM server generates audit records for privileged activities or other system-level access. If the UEM server does not generate audit records for privileged activities or other system-level access, this is a finding.

Fix: F-37804r615597_fix

Configure the UEM server to generate audit records for privileged activities or other system-level access.

b

The UEM server must generate audit records showing starting and ending time for user access to the system.

AU-12 - Medium - CCI-000172 - V-234655 - SV-234655r961830_rule

RMF Control

AU-12

Severity

M

CCI

Version

SRG-APP-000505-UEM-000380

Vuln IDs

V-234655

Rule IDs

SV-234655r961830_rule

Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies:FAU_ALT_EXT.1.1, FAU_GEN.1.1(1), FMT_SMF.1.1(2)c.8 Reference:PP-MDM-411065, PP-MDM-412000

Checks: C-37840r615599_chk

Verify the UEM server generates audit records showing starting and ending time for user access to the system. If the UEM server does not generate audit records showing starting and ending time for user access to the system, this is a finding.

Fix: F-37805r615600_fix

Configure the UEM server to generate audit records showing starting and ending time for user access to the system.

b

The UEM server must generate audit records when concurrent logons from different workstations occur.

AU-12 - Medium - CCI-000172 - V-234656 - SV-234656r961833_rule

RMF Control

AU-12

Severity

M

CCI

Version

SRG-APP-000506-UEM-000381

Vuln IDs

V-234656

Rule IDs

SV-234656r961833_rule

Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies:FAU_ALT_EXT.1.1, FAU_GEN.1.1(1), FMT_SMF.1.1(2)c.8 Reference:PP-MDM-411065, PP-MDM-412000

Checks: C-37841r615602_chk

Verify the UEM server generates audit records when concurrent logons from different workstations occur. If the UEM server does not generate audit records when concurrent logons from different workstations occur, this is a finding.

Fix: F-37806r615603_fix

Configure the UEM server to generate audit records when concurrent logons from different workstations occur.

b

The UEM server must generate audit records when successful/unsuccessful accesses to objects occur.

AU-12 - Medium - CCI-000172 - V-234657 - SV-234657r961836_rule

RMF Control

AU-12

Severity

M

CCI

Version

SRG-APP-000507-UEM-000382

Vuln IDs

V-234657

Rule IDs

SV-234657r961836_rule

Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies:FAU_ALT_EXT.1.1, FAU_GEN.1.1(1), FMT_SMF.1.1(2)c.8 Reference:PP-MDM-411065, PP-MDM-412000

Checks: C-37842r615605_chk

Verify the UEM server generates audit records when successful/unsuccessful accesses to objects occur. If the UEM server does not generate audit records when successful/unsuccessful accesses to objects occur, this is a finding.

Fix: F-37807r615606_fix

Configure the UEM server to generate audit records when successful/unsuccessful accesses to objects occur.

b

The UEM server must generate audit records for all direct access to the information system.

AU-12 - Medium - CCI-000172 - V-234658 - SV-234658r961839_rule

RMF Control

AU-12

Severity

M

CCI

Version

SRG-APP-000508-UEM-000383

Vuln IDs

V-234658

Rule IDs

SV-234658r961839_rule

Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies:FAU_ALT_EXT.1.1, FAU_GEN.1.1(1), FMT_SMF.1.1(2)c.8 Reference:PP-MDM-411065, PP-MDM-412000

Checks: C-37843r615608_chk

Verify the UEM server generates audit records for all direct access to the information system. If the UEM server does not generate audit records for all direct access to the information system, this is a finding.

Fix: F-37808r615609_fix

Configure the UEM server to generate audit records for all direct access to the information system.

b

The UEM server must generate audit records for all account creations, modifications, disabling, and termination events.

AU-12 - Medium - CCI-000172 - V-234659 - SV-234659r961842_rule

RMF Control

AU-12

Severity

M

CCI

Version

SRG-APP-000509-UEM-000384

Vuln IDs

V-234659

Rule IDs

SV-234659r961842_rule

Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies:FAU_ALT_EXT.1.1, FAU_GEN.1.1(1), FMT_SMF.1.1(2)c.8 Reference:PP-MDM-411065, PP-MDM-412000

Checks: C-37844r616017_chk

Requirement is Not Applicable when UEM server is configured to use DoD Central Directory Service for administrator account authentication. Verify the UEM server generates audit records for all account creations, modifications, disabling, and termination events. If the UEM server does not generate audit records for all account creations, modifications, disabling, and termination events, this is a finding.

Fix: F-37809r615612_fix

Configure the UEM server to generate audit records for all account creations, modifications, disabling, and termination events.

c

The UEM server must use a FIPS-validated cryptographic module to generate cryptographic hashes.

SC-13 - High - CCI-002450 - V-234664 - SV-234664r961857_rule

RMF Control

SC-13

Severity

H

CCI

CCI-002450

Version

SRG-APP-000514-UEM-000389

Vuln IDs

V-234664

Rule IDs

SV-234664r961857_rule

FIPS 140-2 precludes the use of invalidated cryptography for the cryptographic protection of sensitive or valuable data within Federal systems. Unvalidated cryptography is viewed by NIST as providing no protection to the information or data. In effect, the data would be considered unprotected plaintext. If the agency specifies that the information or data be cryptographically protected, then FIPS 140-2 is applicable. In essence, if cryptography is required, it must be validated. Cryptographic modules that have been approved for classified use may be used in lieu of modules that have been validated against the FIPS 140-2 standard. The cryptographic module used must have at least one validated hash algorithm. This validated hash algorithm must be used to generate cryptographic hashes for all cryptographic security function within the product being evaluated. Satisfies:FCS_COP.1.1(2)

Checks: C-37849r615626_chk

Verify the UEM server uses a FIPS-validated cryptographic module to generate cryptographic hashes. If the UEM server does not use a FIPS-validated cryptographic module to generate cryptographic hashes, this is a finding.

Fix: F-37814r615627_fix

Configure the UEM server to use a FIPS-validated cryptographic module to generate cryptographic hashes.

b

The UEM server must, at a minimum, off-load audit logs of interconnected systems in real time and off-load standalone systems weekly.

AU-4 - Medium - CCI-001851 - V-234665 - SV-234665r961860_rule

RMF Control

AU-4

Severity

M

CCI

CCI-001851

Version

SRG-APP-000515-UEM-000390

Vuln IDs

V-234665

Rule IDs

SV-234665r961860_rule

Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. Satisfies:FMT_SMF.1.1(2) c.8, FAU_STG_EXT.1.1(1) Reference:PP-MDM-411054

Checks: C-37850r851724_chk

Verify the UEM server, at a minimum, off-loads audit logs of interconnected systems in real time and off-load standalone systems weekly. If the UEM server does not off-load audit logs of interconnected systems in real time and off-load standalone systems weekly, this is a finding.

Fix: F-37815r615630_fix

Configure the UEM server to, at a minimum, off-load audit logs of interconnected systems in real time and off-load standalone systems weekly.

b

The UEM server must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.

CM-6 - Medium - CCI-000366 - V-234666 - SV-234666r961863_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

SRG-APP-000516-UEM-000391

Vuln IDs

V-234666

Rule IDs

SV-234666r961863_rule

Configuring the application to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the application, including the parameters required to satisfy other security control requirements.

Checks: C-37851r616021_chk

Verify the UEM server is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If the UEM server is not configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs, this is a finding.

Fix: F-37816r615633_fix

Configure the UEM server in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.

b

The UEM server must be configured to allow authorized administrators to read all audit data from audit records on the server.

CM-6 - Medium - CCI-000366 - V-234667 - SV-234667r961863_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

SRG-APP-000516-UEM-000392

Vuln IDs

V-234667

Rule IDs

SV-234667r961863_rule

Successful incident response and auditing relies on timely, accurate system information and analysis in order to allow the organization to identify and respond to potential incidents in a proficient manner. If the application does not provide the ability to centrally review the application logs, forensic analysis is negatively impacted. Segregation of logging data to multiple disparate computer systems is counterproductive and makes log analysis and log event alarming difficult to implement and manage, particularly when the system or application has multiple logging components written to different locations or systems. Automated mechanisms for centralized reviews and analyses include, for example, Security Information Management products. Satisfies:FAU_SAR.1.1 Reference:PP-MDM-413000

Checks: C-37852r615635_chk

Verify the UEM server allows authorized administrators to read all audit data from audit records on the server. If the UEM server does not allow authorized administrators to read all audit data from audit records on the server, this is a finding.

Fix: F-37817r615636_fix

Configure the UEM server to allow authorized administrators to read all audit data from audit records on the server.

c

The UEM server must be configured to implement FIPS 140-2 mode for all server and agent encryption.

SC-13 - High - CCI-002450 - V-234668 - SV-234668r961866_rule

RMF Control

SC-13

Severity

H

CCI

CCI-002450

Version

SRG-APP-000555-UEM-000393

Vuln IDs

V-234668

Rule IDs

SV-234668r961866_rule

Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session. Remote access is access to DoD non-public information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. A block cipher mode is an algorithm that features the use of a symmetric key block cipher algorithm to provide an information service, such as confidentiality or authentication. AES is the FIPS-validated cipher block cryptographic algorithm approved for use in DoD. For an algorithm implementation to be listed on a FIPS 140-2 cryptographic module validation certificate as an approved security function, the algorithm implementation must meet all the requirements of FIPS 140-2 and must successfully complete the cryptographic algorithm validation process. Currently, NIST has approved the following confidentiality modes to be used with approved block ciphers in a series of special publications: ECB, CBC, OFB, CFB, CTR, XTS-AES, FF1, FF3, CCM, GCM, KW, KWP, and TKW. Satisfies:FCS_COP.1.1(1), FTP_TRP.1.1(1) Reference:PP-MDM-414001

Checks: C-37853r615638_chk

Verify FIPS 140-2 mode has been implemented on the UEM server for all server and agent encryption. If FIPS 140-2 mode has not been implemented on the UEM server for all server and agent encryption, this is a finding.

Fix: F-37818r615639_fix

Configure the UEM server to implement FIPS 140-2 mode for all server and agent encryption.

b

The UEM server must be configured to prohibit client negotiation to TLS 1.1, TLS 1.0, SSL 2.0, or SSL 3.0.

AC-17 - Medium - CCI-001453 - V-234669 - SV-234669r961869_rule

RMF Control

AC-17

Severity

M

CCI

CCI-001453

Version

SRG-APP-000560-UEM-000394

Vuln IDs

V-234669

Rule IDs

SV-234669r961869_rule

Using older unauthorized versions or incorrectly configuring protocol negotiation makes the gateway vulnerable to known and unknown attacks that exploit vulnerabilities in this protocol. This requirement applies to Transport Layer Security (TLS) gateways (also known as Secure Sockets Layer [SSL] gateways), web servers, and web applications. Application protocols such as HTTPS and DNSSEC use TLS as the underlying security protocol and thus are in scope for this requirement. NIST SP 800-52 provides guidance for client negotiation, either on DoD-only or on public-facing servers. Satisfies:FCS_TLSC_EXT.1.1 Reference:PP-MDM-412061

Checks: C-37854r615641_chk

Verify the UEM server is configured to prohibit client negotiation to TLS 1.1, TLS 1.0, SSL 2.0, or SSL 3.0. If the UEM server is not configured to prohibit client negotiation to TLS 1.1, TLS 1.0, SSL 2.0, or SSL 3.0, this is a finding.

Fix: F-37819r615642_fix

Configure the UEM server to prohibit client negotiation to TLS 1.1, TLS 1.0, SSL 2.0, or SSL 3.0.

b

The UEM server must authenticate endpoint devices (servers) before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based.

IA-3 - Medium - CCI-001967 - V-234673 - SV-234673r961881_rule

RMF Control

IA-3

Severity

M

CCI

CCI-001967

Version

SRG-APP-000580-UEM-000398

Vuln IDs

V-234673

Rule IDs

SV-234673r961881_rule

Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Bidirectional authentication provides stronger safeguards to validate the identity of other devices for connections that are of greater risk, such as remote connections. This requires device-to-device authentication. Information systems must use IEEE 802.1x, Extensible Authentication Protocol [EAP], Radius server with EAP-Transport Layer Security [TLS] authentication, or Kerberos to identify/authenticate devices on local and/or wide area networks. Satisfies:FMT_SMF.1.1(2) b, FTP_ITC.1.1(1), FTP_ITC.1.2(1), FTP_ITC.1.3(1) Reference:PP-MDM-431009

Checks: C-37858r851729_chk

Verify the UEM server authenticates endpoint devices (servers) before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based. If the UEM server does not authenticate endpoint devices (servers) before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based, this is a finding.

Fix: F-37823r615654_fix

Configure the UEM server to authenticate endpoint devices (servers) before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based.

b

If cipher suites using pre-shared keys are used for device authentication, the UEM server must have a minimum security strength of 112 bits or higher.

IA-3 - Medium - CCI-001967 - V-234674 - SV-234674r961884_rule

RMF Control

IA-3

Severity

M

CCI

CCI-001967

Version

SRG-APP-000585-UEM-000399

Vuln IDs

V-234674

Rule IDs

SV-234674r961884_rule

Pre-shared keys are symmetric keys that are already in place prior to the initiation of a Transport Layer Security (TLS) session (e.g., as the result of a manual distribution). In general, pre-shared keys should not be used. However, the use of pre-shared keys may be appropriate for some closed environments that have stung key management best practices. Pre-shared keys may be appropriate for constrained environments with limited processing, memory, or power. If pre-shared keys are appropriate and supported, the following additional guidelines must be followed. Consult 800-52 for recommended pre-shared key cipher suites for pre-shared keys. Pre-shared keys must be distributed in a secure manner, such as a secure manual distribution or using a key establishment certificate. These cipher suites employ a pre-shared key for device authentication (for both the server and the client) and may also use RSA or ephemeral Diffie-Hellman (DHE) algorithms for key establishment. Because these cipher suites require pre-shared keys, these suites are not generally applicable to classic secure website applications and are not expected to be widely supported in TLS clients or TLS servers. NIST suggests that these suites be considered in particular for infrastructure applications, particularly if frequent authentication of the network entities is required. These cipher suites may be used with TLS versions 1.1 or 1.2. Note that cipher suites using GCM, SHA-256, or SHA-384 are only available in TLS 1.2.

Checks: C-37859r851731_chk

Verify cipher suites using pre-shared keys are for device authentication have a minimum security strength of 112 bits or higher. If cipher suites using pre-shared keys are for device authentication do not have a minimum security strength of 112 bits or higher, this is a finding.

Fix: F-37824r615657_fix

If cipher suites using pre-shared keys are used for device authentication, configure the UEM server to have a minimum security strength of 112 bits or higher.

b

The UEM server must validate certificates used for Transport Layer Security (TLS) functions by performing RFC 5280-compliant certification path validation.

IA-5 - Medium - CCI-000185 - V-234676 - SV-234676r961893_rule

RMF Control

IA-5

Severity

M

CCI

CCI-000185

Version

SRG-APP-000605-UEM-000401

Vuln IDs

V-234676

Rule IDs

SV-234676r961893_rule

A certificate's certification path is the path from the end entity certificate to a trusted root certification authority (CA). Certification path validation is necessary for a relying party to make an informed decision regarding acceptance of an end entity certificate. Certification path validation includes checks such as certificate issuer trust, time validity, and revocation status for each certificate in the certification path. Revocation status information for CA and subject certificates in a certification path is commonly provided via certificate revocation lists (CRLs) or online certificate status protocol (OCSP) responses. Satisfies:FIA_X509_EXT.1.1(1)

Checks: C-37861r616029_chk

Verify the UEM server validates certificates used for TLS functions by performing RFC 5280-compliant certification path validation. If the UEM server does not validate certificates used for TLS functions by performing RFC 5280-compliant certification path validation, this is a finding.

Fix: F-37826r615663_fix

Configure the UEM server to validate certificates used for Transport Layer Security (TLS) functions by performing RFC 5280-compliant certification path validation.

c

The application must use FIPS-validated SHA-256 or higher hash function for digital signature generation and verification.

IA-7 - High - CCI-000803 - V-234677 - SV-234677r961896_rule

RMF Control

IA-7

Severity

H

CCI

CCI-000803

Version

SRG-APP-000610-UEM-000402

Vuln IDs

V-234677

Rule IDs

SV-234677r961896_rule

Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Note: Although allowed by SP800-131Ar1 for some applications, SHA-1 is considered a compromised hashing standard and is being phased out of use by industry and government standards. Unless required for legacy use, DoD systems should not be configured to use SHA-1 for integrity of remote access sessions. To protect the integrity of the authenticator and authentication mechanism used for the cryptographic module used by the network device, the application, operating system, or protocol must be configured to use one of the following hash functions for hashing the password or other authenticator in accordance with SP 800-131Ar1: SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-512/256, SHA3-224, SHA3-256, SHA3-384, and SHA3-512. For digital signature verification, SP800-131Ar1 allows SHA-1 for legacy use only. Satisfies:FCS_COP.1.1(4)

Checks: C-37862r616031_chk

Verify the UEM server uses FIPS-validated SHA-256 or higher hash function for digital signature generation and verification. If the UEM server does not use FIPS-validated SHA-256 or higher hash function for digital signature generation and verification, this is a finding.

Fix: F-37827r615666_fix

Configure the UEM server to use FIPS-validated SHA-256 or higher hash function for digital signature generation and verification.

c

The UEM server must provide digitally signed policies and policy updates to the UEM agent.

SC-23 - High - CCI-002470 - V-256892 - SV-256892r985785_rule

RMF Control

SC-23

Severity

H

CCI

Version

SRG-APP-000427-UEM-000500

Vuln IDs

V-256892

Rule IDs

SV-256892r985785_rule

It is critical that the UEM server sign all policy updates with validated certificates. Otherwise, there is no assurance that a malicious actor has not inserted itself in the process of packaging the code or policy. Satisfies: FMT_POL_EXT.1.1

Checks: C-60567r891313_chk

Verify the UEM server is signing all policy updates sent to the UEM Agent with validated certificates. If the UEM server is not signing all policy updates sent to the UEM Agent with validated certificates, this is a finding.

Fix: F-60510r891311_fix

Configure the UEM server to sign all policy updates sent to the UEM Agent with validated certificates.

c

The UEM server must sign policies and policy updates using a private key associated with [selection: an X509 certificate, a public key provisioned to the agent trusted by the agent] for policy verification.

SC-23 - High - CCI-002470 - V-264368 - SV-264368r985737_rule

RMF Control

SC-23

Severity

H

CCI

Version

SRG-APP-000427-UEM-000501

Vuln IDs

V-264368

Rule IDs

SV-264368r985737_rule

It is critical that the UEM server sign all policy updates with validated certificate or private keys. Otherwise, there is no assurance that a malicious actor has not inserted itself in the process of packaging the code or policy. Satisfies - FMT_POL_EXT.1.2 PP-MDM-411070

Checks: C-68282r985735_chk

Verify the server is configured to sign policies and policy updates using [selection: an X509 certificate, a public key provisioned to the agent] trusted by the agent for policy verification. If the UEM server is not signing all policy updates using [selection: an X509 certificate, a public key provisioned to the agent] trusted by the agent for policy verification., this is a finding.

Fix: F-68190r985736_fix

Configure the UEM server to sign policies and policy updates using [selection: an X509 certificate, a public key provisioned to the agent] trusted by the agent for policy verification.

c

The UEM server, for each unique policy managed, must validate the policy is appropriate for an agent using [selection: a private key associated with an X509 certificate representing the agent, a token issued by the agent] associated with a policy signing key uniquely associated with the policy.

SC-23 - High - CCI-002470 - V-264369 - SV-264369r985781_rule

RMF Control

SC-23

Severity

H

CCI