Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
Verify the UEM server limits the number of concurrent sessions per privileged user account to three or less concurrent sessions. If the UEM server does not limit the number of concurrent sessions per privileged user account to three or less concurrent sessions, this is a finding.
Configure the UEM server to limit the number of concurrent sessions per privileged user account to three or less concurrent sessions.
Verify the UEM server conceals, via the session lock, information previously visible on the display with a publicly viewable image. If the UEM server does not conceal via the session lock information previously visible on the display with a publicly viewable image, this is a finding.
Configure the UEM server to conceal via the session lock information previously visible on the display with a publicly viewable image.
Verify the UEM server initiates a session lock after a 15-minute period of inactivity. If the UEM server does not initiate a session lock after a 15-minute period of inactivity, this is a finding.
Configure the UEM server to initiate a session lock after a 15-minute period of inactivity.
Verify the UEM server provides the capability for users to directly initiate a session lock. If the UEM server does not provide the capability for users to directly initiate a session lock, this is a finding.
Configure the UEM server to provide the capability for users to directly initiate a session lock.
Verify the UEM server retains the session lock until the user reestablishes access using established identification and authentication procedures. If the UEM server does not retain the session lock until the user reestablishes access using established identification and authentication procedures, this is a finding.
Configure the MDM server to retain the session lock until the user reestablishes access using established identification and authentication procedures.
Verify the UEM server uses TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination using remote access. If the UEM server does not use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination using remote access, this is a finding.
Configure the UEM server to use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination using remote access.
Requirement is Not Applicable when UEM server is configured to use DoD Central Directory Service for administrator account authentication. Verify the UEM server provides automated mechanisms for supporting account management functions. If the UEM server does not provide automated mechanisms for supporting account management functions, this is a finding.
Configure the UEM server to provide automated mechanisms for supporting account management functions.
Requirement is Not Applicable when the UEM server is configured to use DoD Central Directory Service for administrator account authentication. Verify the UEM server automatically removes or disables temporary user accounts after 72 hours, if supported by the UEM server. If the UEM server does not automatically remove or disable temporary user accounts after 72 hours, if supported by the UEM server, this is a finding.
Configure the UEM server to automatically remove or disable temporary user accounts after 72 hours, if supported by the UEM server.
Requirement is Not Applicable when the UEM server is configured to use DoD Central Directory Service for administrator account authentication. Verify the UEM server automatically disables accounts after a 35-day period of account inactivity. If the UEM server does not automatically disable accounts after a 35-day period of account inactivity, this is a finding.
Configure the UEM server to automatically disable accounts after a 35-day period of account inactivity.
Requirement is Not Applicable when UEM server is configured to use DoD Central Directory Service for administrator account authentication. Verify the UEM server automatically audits account creation. If the UEM server does not automatically audit account creation, this is a finding.
Configure the UEM server to automatically audit account creation.
Requirement is Not Applicable when UEM server is configured to use DoD Central Directory Service for administrator account authentication. Verify the UEM server automatically audits account modification. If the UEM server does not automatically audit account modification, this is a finding.
Configure the UEM server to automatically audit account modification.
Requirement is Not Applicable when the UEM server is configured to use DoD Central Directory Service for administrator account authentication. Verify the UEM server automatically audits account disabling actions. If the UEM server does not automatically audit account disabling actions, this is a finding.
Configure the UEM server to automatically audit account disabling actions.
Requirement is Not Applicable when the UEM server is configured to use DoD Central Directory Service for administrator account authentication. Verify the UEM server automatically audits account removal actions. If the UEM server does not automatically audit account removal actions, this is a finding.
Configure the UEM server to automatically audit account removal actions.
Requirement is Not Applicable when the UEM server is configured to use DoD Central Directory Service for administrator account authentication. Verify the UEM server enforces the limit of three consecutive invalid logon attempts by a user during a 15-minute time period. If the UEM server does not enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period, this is a finding.
Configure the UEM server to enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.
Verify the UEM server displays the Standard Mandatory DoD Notice and Consent Banner before granting access to the application. If the UEM server does not display the Standard Mandatory DoD Notice and Consent Banner before granting access to the application, this is a finding.
Configure the UEM server to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the application.
Verify the UEM server retains the access banner until the user acknowledges acceptance of the access conditions. If the UEM server does not retain the access banner until the user acknowledges acceptance of the access conditions, this is a finding.
Configure the UEM server to retain the access banner until the user acknowledges acceptance of the access conditions.
Verify the UEM server protects against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation. If the UEM server does not protect against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation this is a finding.
Configure the UEM server to protect against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation.
Verify the UEM server provides audit record generation capability for DoD-defined auditable events within all application components. If the UEM server does not provide audit record generation capability for DoD-defined auditable events within all application components, this is a finding.
Configure the UEM server to provide audit record generation capability for DoD-defined auditable events within all application components.
Verify the UEM server provides audit records in a manner suitable for the Authorized Administrators to interpret the information. If the UEM server does not provide audit records in a manner suitable for the Authorized Administrators to interpret the information, this is a finding.
Configure the UEM server to be configured to provide audit records in a manner suitable for the Authorized Administrators to interpret the information.
Verify the UEM server allows only specific administrator roles to select which auditable events are to be audited. If the UEM server does not allow only specific administrator roles to select which auditable events are to be audited, this is a finding.
Configure the UEM server to be configured to allow only specific administrator roles to select which auditable events are to be audited.
Verify the UEM server generates audit records when successful/unsuccessful attempts to access privileges occur. If the UEM server does not generate audit records when successful/unsuccessful attempts to access privileges occur, this is a finding.
Configure the UEM server to generate audit records when successful/unsuccessful attempts to access privileges occur.
Verify the UEM server initiate session auditing upon startup. If the UEM server does not initiate session auditing upon startup, this is a finding.
Configure the UEM server to initiate session auditing upon startup.
Verify the UEM server produces audit records containing information to establish what type of events occurred. If the UEM server does not produce audit records containing information to establish what type of events occurred, this is a finding.
Configure the UEM server to be configured to produce audit records containing information to establish what type of events occurred.
Verify the UEM server produces audit records containing information to establish when (date and time) the events occurred. If the UEM server does not produce audit records containing information to establish when (date and time) the events occurred, this is a finding.
Configure the UEM server to be configured to produce audit records containing information to establish when (date and time) the events occurred.
Verify the UEM server produces audit records containing information to establish where the events occurred. If the UEM server does not produce audit records containing information to establish where the events occurred, this is a finding.
Configure the UEM server to be configured to produce audit records containing information to establish where the events occurred.
Verify the UEM server produces audit records containing information to establish the source of the events. If the UEM server does not produce audit records containing information to establish the source of the events, this is a finding.
Configure the UEM server to be configured to produce audit records containing information to establish the source of the events.
Verify the UEM server produces audit records that contain information to establish the outcome of the events. If the UEM server does not produce audit records that contain information to establish the outcome of the events, this is a finding.
Configure the UEM server to be configured to produce audit records that contain information to establish the outcome of the events.
Verify the UEM server generates audit records containing information that establishes the identity of any individual or process associated with the event. If the UEM server does not generate audit records containing information that establishes the identity of any individual or process associated with the event, this is a finding.
Configure the UEM server to be configured to generate audit records containing information that establishes the identity of any individual or process associated with the event.
Verify the UEM server generates audit records containing the full-text recording of privileged commands or the individual identities of group account users. If the UEM server does not generate audit records containing the full-text recording of privileged commands or the individual identities of group account users, this is a finding.
Configure the UEM server to be configured to generate audit records containing the full-text recording of privileged commands or the individual identities of group account users.
Verify the UEM server alerts the ISSO and SA (at a minimum) in the event of an audit processing failure. If the UEM server does not alert the ISSO and SA (at a minimum) in the event of an audit processing failure, this is a finding.
Configure the UEM server to alert the ISSO and SA (at a minimum) in the event of an audit processing failure.
Verify the UEM server uses host operating system clocks to generate time stamps for audit records. If the UEM server does not use host operating system clocks to generate time stamps for audit records, this is a finding
Configure the UEM server to use host operating system clocks to generate time stamps for audit records.
Verify the UEM server protects audit information from any type of unauthorized read access. If the UEM server does not protect audit information from any type of unauthorized read access, this is a finding
Configure the UEM server to protect audit information from any type of unauthorized read access.
Verify the UEM server protects audit information from unauthorized modification. If the UEM server does not protect audit information from unauthorized modification, this is a finding.
Configure the UEM server to protect audit information from unauthorized modification.
Verify the UEM server protects audit information from unauthorized deletion. If the UEM server does not protect audit information from unauthorized deletion, this is a finding
Configure the UEM server to protect audit information from unauthorized deletion.
Verify the UEM server backs up audit records at least every seven days onto a log management server. If the UEM server does not back up audit records at least every seven days onto a log management server, this is a finding.
Configure the UEM server to back up audit records at least every seven days onto a log management server.
Verify the UEM server prevents the installation of patches, service packs, or application components without verification the software component has been digitally signed using a certificate that is recognized and approved by the organization. If the UEM server does not prevent the installation of patches, service packs, or application components without verification the software component has been digitally signed using a certificate that is recognized and approved by the organization, this is a finding.
Configure the UEM server to prevent the installation of patches, service packs, or application components without verification the software component has been digitally signed using a certificate that is recognized and approved by the organization.
Verify the UEM server limits privileges to change the software resident within software libraries. If the UEM server does not limit privileges to change the software resident within software libraries, this is a finding.
Configure the UEM server to limit privileges to change the software resident within software libraries.
Verify the UEM server has disabled non-essential capabilities. If the UEM server has not disabled non-essential capabilities, this is a finding.
Configure the UEM server to be configured to disable non-essential capabilities.
Verify the firewall protecting the UEM server platform is configured so that only DoD-approved ports, protocols, and services are enabled. (See the DoD PPSM CAL list for DoD-approved ports, protocols, and services). If the firewall protecting the UEM server platform is not configured so that only DoD-approved ports, protocols, and services are enabled, this is a finding.
Configure the firewall protecting the UEM server platform so that only DoD-approved ports, protocols, and services are enabled. (See the DoD PPSM CAL list for DoD-approved ports, protocols, and services).
Verify the UEM server uses only documented platform APIs. If the UEM server does not use only documented platform APIs, this is a finding.
Configure the UEM server to be configured to use only documented platform APIs.
Requirement is Not Applicable when UEM server is configured to use DoD Central Directory Service for administrator account authentication. Verify the UEM server uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users). If the UEM server does not uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users), this is a finding.
Configure the UEM server to uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).
Verify the UEM server uses a DoD Central Directory Service to provide multifactor authentication for network access to privileged and non-privileged accounts. If the UEM server does not use a DoD Central Directory Service to provide multifactor authentication for network access to privileged and non-privileged accounts, this is a finding.
Configure the UEM server to use a DoD Central Directory Service to provide multifactor authentication for network access to privileged and non-privileged accounts.
Verify all UEM server local accounts created during application installation and configuration have been removed. Note: In this context, "local" accounts refers to user and or administrator accounts on the server that use user name and password for user access and authentication. If all UEM server local accounts created during application installation and configuration have not been removed, this is a finding.
Remove all UEM server local accounts created during application installation. Note: In this context, "local" accounts refers to user and or administrator accounts on the server that use user name and password for user access and authentication.
Requirement is Not Applicable when UEM server is configured to use DOD Central Directory Service for administrator account authentication. Verify the UEM server ensures users are authenticated with an individual authenticator prior to using a group authenticator. If the UEM server does not ensure users are authenticated with an individual authenticator prior to using a group authenticator, this is a finding.
Configure the UEM server to ensure users are authenticated with an individual authenticator prior to using a group authenticator.
Verify the UEM server uses DOD PKI for multifactor authentication. If the UEM server does not use DOD PKI for multifactor authentication, this is a finding.
Configure the UEM server to use DOD PKI for multifactor authentication.
Requirement is Not Applicable when UEM server is configured to use DoD Central Directory Service for administrator account authentication. Verify the UEM server uses FIPS-validated SHA-2 or higher hash function to provide replay-resistant authentication mechanisms for network access to privileged accounts. If the UEM server does not use FIPS-validated SHA-2 or higher hash function to provide replay-resistant authentication mechanisms for network access to privileged accounts, this is a finding.
Configure the UEM server to use FIPS-validated SHA-2 or higher hash function to provide replay-resistant authentication mechanisms for network access to privileged accounts.
Requirement is Not Applicable when UEM server is configured to use DOD Central Directory Service for administrator account authentication. Verify the UEM server implements replay-resistant authentication mechanisms for network access to nonprivileged accounts. If the UEM server does not implement replay-resistant authentication mechanisms for network access to non-privileged accounts, this is a finding.
Configure the UEM server to implement replay-resistant authentication mechanisms for network access to nonprivileged accounts.
Verify the UEM server enforces a minimum 15-character password length. If the UEM server does not enforce a minimum 15-character password length, this is a finding.
Configure the UEM server to enforce a minimum 15-character password length.
Verify the UEM server prohibits password reuse for a minimum of five generations. If the UEM server does not prohibit password reuse for a minimum of five generations, this is a finding.
Configure the UEM server to prohibit password reuse for a minimum of five generations.
Verify the UEM server enforces password complexity by requiring that at least one uppercase character be used. If the UEM server does not enforce password complexity by requiring that at least one uppercase character be used, this is a finding.
Configure the UEM server to enforce password complexity by requiring that at least one uppercase character be used.
Verify the UEM server enforces password complexity by requiring that at least one lowercase character be used. If the UEM server does not enforce password complexity by requiring that at least one lowercase character be used, this is a finding.
Configure the UEM server to enforce password complexity by requiring that at least one lowercase character be used.
Verify the UEM server enforces password complexity by requiring that at least one numeric character be used. If the UEM server does not enforce password complexity by requiring that at least one numeric character be used, this is a finding.
Configure the UEM server to enforce password complexity by requiring that at least one numeric character be used.
Verify the UEM server enforces password complexity by requiring that at least one special character be used. If the UEM server does not enforce password complexity by requiring that at least one special character be used, this is a finding.
Configure the UEM server to enforce password complexity by requiring that at least one special character be used.
Verify the UEM server requires the change of at least 15 of the total number of characters when passwords are changed. If the UEM server does not require the change of at least 15 of the total number of characters when passwords are changed, this is a finding.
Configure the UEM server to require the change of at least 15 of the total number of characters when passwords are changed.
If the UEM server is using password authentication, verify the server stores only cryptographic representations of passwords. If the UEM server is using password authentication but does not store only cryptographic representations of passwords, this is a finding.
For a UEM server using password authentication, configure the server to store only cryptographic representations of passwords.
For UEM server using password authentication, verify the network element uses FIPS-validated SHA-2 or later protocol to protect the integrity of the password authentication process. If UEM server using password authentication but the network element does not use FIPS-validated SHA-2 or later protocol to protect the integrity of the password authentication process, this is a finding.
For a UEM server using password authentication, configure the network element to use FIPS-validated SHA-2 or later protocol to protect the integrity of the password authentication process.
Verify the UEM server enforces a 60-day maximum password lifetime restriction. If the UEM server does not enforce a 60-day maximum password lifetime restriction, this is a finding.
Configure the UEM server to enforce a 60-day maximum password lifetime restriction.
Requirement is Not Applicable when UEM server is configured to use DoD Central Directory Service for administrator account authentication. When using PKI-based authentication for user access, verify the UEM server validates certificates by constructing a certification path (which includes status information) to an accepted trust anchor. If the UEM server uses PKI-based authentication for user access but does not validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor, this is a finding.
When using PKI-based authentication for user access, configure the UEM server to validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.
Verify the UEM server does not automatically accept a certificate when it cannot establish a connection to determine the validity of a certificate. If the UEM server automatically accepts a certificate when it cannot establish a connection to determine the validity of a certificate, this is a finding.
Configure the UEM server to not automatically accept a certificate when it cannot establish a connection to determine the validity of a certificate.
Requirement is Not Applicable when UEM server is configured to use DoD Central Directory Service for administrator account authentication. Verify the he UEM server, when using PKI-based authentication, enforces authorized access to the corresponding private key. If the UEM server, when using PKI-based authentication, does not enforce authorized access to the corresponding private key, this is a finding
Configure the UEM server, when using PKI-based authentication, to enforce authorized access to the corresponding private key.
Requirement is Not Applicable when UEM server is configured to use DoD Central Directory Service for administrator account authentication. Verify the UEM server maps the authenticated identity to the individual user or group account for PKI-based authentication. If the UEM server does not map the authenticated identity to the individual user or group account for PKI-based authentication, this is a finding.
Configure the UEM server to map the authenticated identity to the individual user or group account for PKI-based authentication.
Verify the UEM server obscures feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals. If the UEM server does not obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals, this is a finding.
Configure the UEM server to obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.
Verify the UEM server uses FIPS-validated SHA-2 or higher hash function to protect the integrity of keyed-hash message authentication code (HMAC), Key Derivation Functions (KDFs), Random Bit Generation, and hash-only applications. If the UEM server does not use FIPS-validated SHA-2 or higher hash function to protect the integrity of keyed-hash message authentication code (HMAC), Key Derivation Functions (KDFs), Random Bit Generation, and hash-only applications, this is a finding.
Configure the UEM server to use FIPS-validated SHA-2 or higher hash function to protect the integrity of keyed-hash message authentication code (HMAC), Key Derivation Functions (KDFs), Random Bit Generation, and hash-only applications.
Verify the UEM server provides a trusted communication channel between itself and authorized IT entities using [selection: -IPsec, -SSH, -mutually authenticated TLS, -mutually authenticated DTLS, -HTTPS]. If the UEM server does not provide a trusted communication channel between itself and authorized IT entities using [selection: -IPsec, -SSH, -mutually authenticated TLS, -mutually authenticated DTLS, -HTTPS], this is a finding.
Configure the UEM server to provide a trusted communication channel between itself and authorized IT entities using [selection: -IPsec, -SSH, -mutually authenticated TLS, -mutually authenticated DTLS, -HTTPS].
Verify the UEM server invokes either host-OS functionality or server functionality to provide a trusted communication channel between itself and remote administrators that provides assured identification of its endpoints and protection of the communicated data from modification and disclosure using [selection: -IPsec, -SSH, -TLS, -HTTPS]. If the UEM server does not invoke either host-OS functionality or server functionality to provide a trusted communication channel between itself and remote administrators that provides assured identification of its endpoints and protection of the communicated data from modification and disclosure using [selection: -IPsec, -SSH, -TLS, -HTTPS], this is a finding.
Configure the UEM server to invoke either host-OS functionality or server functionality to provide a trusted communication channel between itself and remote administrators that provides assured identification of its endpoints and protection of the communicated data from modification and disclosure using [selection: -IPsec, -SSH, -TLS, -HTTPS].
Verify the UEM server invokes either host-OS functionality or server functionality to provide a trusted communication channel between itself and managed devices that provides assured identification of its endpoints and protection of the communicated data from modification and disclosure using [selection: -TLS, -HTTPS]. If the UEM server does not invoke either host-OS functionality or server functionality to provide a trusted communication channel between itself and managed devices that provides assured identification of its endpoints and protection of the communicated data from modification and disclosure using [selection: -TLS, -HTTPS], this is a finding.
Configure the UEM server to invoke either host-OS functionality or server functionality to provide a trusted communication channel between itself and managed devices that provides assured identification of its endpoints and protection of the communicated data from modification and disclosure using [selection: -TLS, -HTTPS].
Verify the UEM server protects the authenticity of communications sessions. If the UEM server does not protect the authenticity of communications sessions, this is a finding.
Configure the UEM server to protect the authenticity of communications sessions.
Verify the UEM server invalidates session identifiers upon user logout or other session termination. If the UEM server does not invalidate session identifiers upon user logout or other session termination, this is a finding.
Configure the UEM server to invalidate session identifiers upon user logout or other session termination.
Verify the UEM server recognizes only system-generated session identifiers. If the UEM server does not recognize only system-generated session identifiers, this is a finding.
Configure the UEM server to recognize only system-generated session identifiers.
Verify the UEM server generates unique session identifiers using a FIPS-validated RNG based on the DRBG algorithm. If the UEM server does not generate unique session identifiers using a FIPS-validated RNG based on the DRBG algorithm, this is a finding.
Configure the UEM server to generate unique session identifiers using a FIPS-validated RNG based on the DRBG algorithm.
Verify the UEM server fails to a secure state if system initialization fails, shutdown fails, or aborts fail. If the UEM server does not fail to a secure state if system initialization fails, shutdown fails, or aborts fail, this is a finding.
Configure the UEM server to fail to a secure state if system initialization fails, shutdown fails, or aborts fail.
Verify the UEM server preserves any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to mission processes, in the event of a system failure. If the UEM server does not preserve any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to mission processes, in the event of a system failure, this is a finding.
Configure the UEM server to preserve any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to mission processes, in the event of a system failure.
Verify the UEM server checks the validity of all data inputs. If the UEM server does not check the validity of all data inputs, this is a finding.
Configure the UEM server to check the validity of all data inputs.
Verify the UEM server generates error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries. If the UEM server does not generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries, this is a finding.
Configure the UEM server to generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.
Verify the UEM server reveals error messages only to the ISSM and ISSO. If the UEM server does not reveal error messages only to the ISSM and ISSO, this is a finding.
Configure the UEM server to reveal error messages only to the ISSM and ISSO.
Verify the UEM server notifies the ISSO and ISSM of failed security verification tests. If the UEM server does not notify the ISSO and ISSM of failed security verification tests, this is a finding.
Configure the UEM server to notify the ISSO and ISSM of failed security verification tests.
Requirement is Not Applicable when UEM server is configured to use DOD Central Directory Service for administrator account authentication. Verify the UEM server notify SAs and ISSO when accounts are created. If the UEM server does not notify SAs and the ISSO when accounts are created, this is a finding.
Configure the UEM server to notify SA and the ISSO when accounts are created.
Requirement is Not Applicable when UEM server is configured to use DOD Central Directory Service for administrator account authentication. Verify the UEM server notifies SAs and the ISSO when accounts are modified. If the UEM server does not notify SAs and the ISSO when accounts are modified, this is a finding.
Configure the UEM server to notify SAs and the ISSO when accounts are modified.
Requirement is Not Applicable when UEM server is configured to use DOD Central Directory Service for administrator account authentication. Verify the UEM server notifies SAs and the ISSO for account disabling actions. If the UEM server does not notify SAs and the ISSO for account disabling actions, this is a finding.
Configure the UEM server to notify SAs and the ISSO for account disabling actions.
Requirement is Not Applicable when UEM server is configured to use DOD Central Directory Service for administrator account authentication. Verify the UEM server notifies SAs and the ISSO for account removal actions. If the UEM server does not notify SAs and the ISSO for account removal actions, this is a finding.
Configure the UEM server to notify SAs and the ISSO for account removal actions.
Verify the UEM server automatically terminates a user session after an organization-defined period of user inactivity. If the UEM server does not automatically terminate a user session after an organization-defined period of user inactivity, this is a finding.
Configure the UEM server to automatically terminate a user session after an organization-defined period of user inactivity.
Verify the UEM server provides a logout capability for user-initiated communication sessions. If the UEM server does not provide a logout capability for user-initiated communication sessions, this is a finding.
Configure the UEM server to provide a logout capability for user-initiated communication sessions.
Verify the UEM server displays an explicit logout message to users indicating the reliable termination of authenticated communications sessions. If the UEM server does not display an explicit logout message to users indicating the reliable termination of authenticated communications sessions, this is a finding.
Configure the UEM server to display an explicit logout message to users indicating the reliable termination of authenticated communications sessions.
Requirement is Not Applicable when the UEM server is configured to use DoD Central Directory Service for administrator account authentication. Verify the UEM server automatically audits account enabling actions. If the UEM server does not automatically audit account enabling actions, this is a finding.
Configure the UEM server to automatically audit account enabling actions.
Requirement is Not Applicable when the UEM server is configured to use DOD Central Directory Service for administrator account authentication. Verify the UEM server notifies the SA and the ISSO of account enabling actions. If the UEM server does not notify the SA and the ISSO of account enabling actions, this is a finding.
Configure the UEM server to notify SA and the ISSO of account enabling actions.
Verify the UEM server has at least one user in defined administrator roles. If the UEM server does not have at least one user in defined administrator roles, this is a finding.
Configure the UEM server to have at least one user in defined administrator roles.
Verify the UEM server audits the execution of privileged functions. If the UEM server does not audit the execution of privileged functions, this is a finding.
Configure the UEM server to audit the execution of privileged functions.
Requirement is Not Applicable when UEM server is configured to use DoD Central Directory Service for administrator account authentication. Verify the UEM server automatically locks the account until the locked account is released by an administrator when three unsuccessful login attempts in 15 minutes are exceeded. If the UEM server does not automatically lock the account until the locked account is released by an administrator when three unsuccessful login attempts in 15 minutes are exceeded, this is a finding.
Configure the UEM server to automatically lock the account until the locked account is released by an administrator when three unsuccessful login attempts in 15 minutes are exceeded.
Verify the UEM server transfers UEM server logs to another server for storage, analysis, and reporting. If the UEM server does not transfer UEM server logs to another server for storage, analysis, and reporting, this is a finding. Note: UEM server logs include logs of UEM events and logs transferred to the UEM server by UEM agents of managed devices.
Configure the UEM server to be configured to transfer UEM server logs to another server for storage, analysis, and reporting. Note: UEM server logs include logs of UEM events and logs transferred to the UEM server by UEM agents of managed devices.
Verify the UEM server records time stamps for audit records that can be mapped to UTC or GMT. If the UEM server does not record time stamps for audit records that can be mapped to UTC or GMT, this is a finding.
Configure the UEM server to be configured to record time stamps for audit records that can be mapped to UTC or GMT.
Verify the UEM server records time stamps for audit records that meet a granularity of one second for a minimum degree of precision. If the UEM server does not record time stamps for audit records that meet a granularity of one second for a minimum degree of precision, this is a finding.
Configure the UEM server to be configured to record time stamps for audit records that meet a granularity of one second for a minimum degree of precision.
Verify the UEM server prohibits user installation of software by an administrator without the appropriate assigned permission for software installation. If the UEM server does not prohibit user installation of software by an administrator without the appropriate assigned permission for software installation, this is a finding.
Configure the UEM server to prohibit user installation of software by an administrator without the appropriate assigned permission for software installation.
Verify the UEM server allows only enrolled devices that are compliant with UEM policies and assigned to a user in the application access group to download applications. If the UEM server does not allow only enrolled devices that are compliant with UEM policies and assigned to a user in the application access group to download applications, this is a finding.
Configure the UEM server to allow only enrolled devices that are compliant with UEM policies and assigned to a user in the application access group to download applications.
Verify the UEM server enforces access restrictions associated with changes to the server configuration. If the UEM server does not enforce access restrictions associated with changes to the server configuration, this is a finding.
Configure the UEM server to enforce access restrictions associated with changes to the server configuration.
Verify the UEM server audits the enforcement actions used to restrict access associated with changes to the application. If the UEM server does not audit the enforcement actions used to restrict access associated with changes to the application, this is a finding.
Configure the UEM server to audit the enforcement actions used to restrict access associated with changes to the application.
Verify the UEM server disables organization-defined functions, ports, protocols, and services (within the application) deemed unnecessary and/or non-secure. If the UEM server does not disable organization-defined functions, ports, protocols, and services (within the application) deemed unnecessary and/or non-secure, this is a finding.
Configure the UEM server to disable organization-defined functions, ports, protocols, and services (within the application) deemed unnecessary and/or non-secure.
Verify the UEM server establishes a trusted path between the server and endpoint that provides assured identification of the end point using a bidirectional authentication mechanism configured with a FIPS-validated Advanced Encryption Standard (AES) cipher block algorithm to authenticate with the device before establishing a connection to any endpoint device being managed. If the UEM server does not establish a trusted path between the server and endpoint that provides assured identification of the end point using a bidirectional authentication mechanism configured with a FIPS-validated Advanced Encryption Standard (AES) cipher block algorithm to authenticate with the device before establishing a connection to any endpoint device being managed, this is a finding.
Configure the UEM server to establish a trusted path between the server and endpoint that provides assured identification of the end point using a bidirectional authentication mechanism configured with a FIPS-validated Advanced Encryption Standard (AES) cipher block algorithm to authenticate with the device before establishing a connection to any endpoint device being managed.
Requirement is Not Applicable when the UEM server is configured to use DoD Central Directory Service for administrator account authentication. Verify the UEM server prohibits the use of cached authenticators after an organization-defined time period. If the UEM server does not prohibit the use of cached authenticators after an organization-defined time period, this is a finding.
Configure the UEM server to prohibit the use of cached authenticators after an organization-defined time period.
Verify the UEM server, for PKI-based authentication, implements a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network. If the UEM server, for PKI-based authentication, does not implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network, this is a finding.
Configure the UEM server to implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network for PKI-based authentication.
Verify the UEM server web management tools use a FIPS-validated Advanced Encryption Standard (AES) cipher block algorithm to protect the confidentiality of maintenance and diagnostic communications for nonlocal maintenance sessions. If the UEM server web management tools do not use FIPS-validated Advanced Encryption Standard (AES) cipher block algorithms to protect the confidentiality of maintenance and diagnostic communications for nonlocal maintenance sessions, this is a finding.
Configure the UEM server web management tools with a FIPS-validated Advanced Encryption Standard (AES) cipher block algorithm to protect the confidentiality of maintenance and diagnostic communications for nonlocal maintenance sessions.
Verify the UEM server verifies remote disconnection when non-local maintenance and diagnostic sessions are terminated. If the UEM server does not verify remote disconnection when non-local maintenance and diagnostic sessions are terminated, this is a finding.
Configure the UEM server to verify remote disconnection when non-local maintenance and diagnostic sessions are terminated.
Verify the UEM server allows only DoD-PKI established certificate authorities for verification of the establishment of protected sessions. If the UEM server does not allow only DoD-PKI established certificate authorities for verification of the establishment of protected sessions, this is a finding.
Configure the UEM server to allow only DoD-PKI established certificate authorities for verification of the establishment of protected sessions.
Verify the UEM server uses X.509v3 certificates for code signing for system software updates. If the UEM server does not use X.509v3 certificates for code signing for system software updates, this is a finding.
Configure the UEM server to use X.509v3 certificates for code signing for system software updates.
Verify the UEM server uses X.509v3 certificates for code signing for integrity verification. If the UEM server does not use X.509v3 certificates for code signing for integrity verification, this is a finding.
Configure the UEM server to use X.509v3 certificates for code signing for integrity verification.
Verify the UEM server connects to applications and managed mobile devices with an authenticated and secure (encrypted) connection to protect the confidentiality and integrity of transmitted information. If the UEM server does not connect to applications and managed mobile devices with an authenticated and secure (encrypted) connection to protect the confidentiality and integrity of transmitted information, this is a finding.
Configure the UEM server to connect to applications and managed mobile devices with an authenticated and secure (encrypted) connection to protect the confidentiality and integrity of transmitted information.
Verify the UEM server writes to the server event log when invalid inputs are received. If the UEM server does not write to the server event log when invalid inputs are received, this is a finding.
Configure the UEM server to write to the server event log when invalid inputs are received.
Verify the UEM server removes old software components after updated versions have been installed. If the UEM server does not remove old software components after updated versions have been installed, this is a finding.
Configure the UEM server to remove old software components after updated versions have been installed.
Verify the UEM server is maintained at a supported version. If the UEM server is not maintained at a supported version, this is a finding.
Configure the UEM server to be maintained at a supported version.
Verify the UEM server is configured with the periodicity of the following commands to the agent of six hours or less: - query connectivity status; - query the current version of the managed device firmware/software; - query the current version of installed mobile applications; - read audit logs kept by the managed device. If the UEM server is not configured with the periodicity of the following commands to the agent of six hours or less: - query connectivity status; - query the current version of the managed device firmware/software; - query the current version of installed mobile applications; - read audit logs kept by the managed device, this is a finding.
Configure the UEM server with the periodicity of the following commands to the agent of six hours or less: - query connectivity status; - query the current version of the managed device firmware/software; - query the current version of installed mobile applications; - read audit logs kept by the managed device.
Verify the UEM server runs a suite of self-tests during initial start-up (power on) to demonstrate correct operation of the server. If the UEM server does not run a suite of self-tests during initial start-up (power on) to demonstrate correct operation of the server, this is a finding.
Configure the UEM server to run a suite of self-tests during initial start-up (power on) to demonstrate correct operation of the server.
Verify the UEM server alerts the system administrator when anomalies in the operation of security functions are discovered. If the UEM server does not alert the system administrator when anomalies in the operation of security functions are discovered, this is a finding.
Configure the UEM server to alert the system administrator when anomalies in the operation of security functions are discovered.
Verify the UEM server verifies software updates to the server using a digital signature mechanism prior to installing those updates. If the UEM server does not verify software updates to the server using a digital signature mechanism prior to installing those updates, this is a finding.
Configure the UEM server to verify software updates to the server using a digital signature mechanism prior to installing those updates.
Verify the UEM server generates audit records when successful/unsuccessful attempts to access security objects occur. If the UEM server does not generate audit records when successful/unsuccessful attempts to access security objects occur, this is a finding.
Configure the UEM server to generate audit records when successful/unsuccessful attempts to access security objects occur.
Verify the UEM server generates audit records when successful/unsuccessful attempts to modify privileges occur. If the UEM server does not generate audit records when successful/unsuccessful attempts to modify privileges occur, this is a finding.
Configure the UEM server to generate audit records when successful/unsuccessful attempts to modify privileges occur.
Verify the UEM server generates audit records when successful/unsuccessful attempts to modify security objects occur. If the UEM server does not generate audit records when successful/unsuccessful attempts to modify security objects occur, this is a finding.
Configure the UEM server to generate audit records when successful/unsuccessful attempts to modify security objects occur.
Verify the UEM server generates audit records when successful/unsuccessful attempts to delete privileges occur. If the UEM server does not generate audit records when successful/unsuccessful attempts to delete privileges occur, this is a finding.
Configure the UEM server to generate audit records when successful/unsuccessful attempts to delete privileges occur.
Verify the UEM server generates audit records when successful/unsuccessful attempts to delete security objects occur. If the UEM server does not generate audit records when successful/unsuccessful attempts to delete security objects occur, this is a finding.
Configure the UEM server to generate audit records when successful/unsuccessful attempts to delete security objects occur.
Verify the UEM server generates audit records when successful/unsuccessful logon attempts occur. If the UEM server does not generate audit records when successful/unsuccessful logon attempts occur, this is a finding.
Configure the UEM server to generate audit records when successful/unsuccessful logon attempts occur.
Verify the UEM server generates audit records for privileged activities or other system-level access. If the UEM server does not generate audit records for privileged activities or other system-level access, this is a finding.
Configure the UEM server to generate audit records for privileged activities or other system-level access.
Verify the UEM server generates audit records showing starting and ending time for user access to the system. If the UEM server does not generate audit records showing starting and ending time for user access to the system, this is a finding.
Configure the UEM server to generate audit records showing starting and ending time for user access to the system.
Verify the UEM server generates audit records when concurrent logons from different workstations occur. If the UEM server does not generate audit records when concurrent logons from different workstations occur, this is a finding.
Configure the UEM server to generate audit records when concurrent logons from different workstations occur.
Verify the UEM server generates audit records when successful/unsuccessful accesses to objects occur. If the UEM server does not generate audit records when successful/unsuccessful accesses to objects occur, this is a finding.
Configure the UEM server to generate audit records when successful/unsuccessful accesses to objects occur.
Verify the UEM server generates audit records for all direct access to the information system. If the UEM server does not generate audit records for all direct access to the information system, this is a finding.
Configure the UEM server to generate audit records for all direct access to the information system.
Requirement is Not Applicable when UEM server is configured to use DoD Central Directory Service for administrator account authentication. Verify the UEM server generates audit records for all account creations, modifications, disabling, and termination events. If the UEM server does not generate audit records for all account creations, modifications, disabling, and termination events, this is a finding.
Configure the UEM server to generate audit records for all account creations, modifications, disabling, and termination events.
Verify the UEM server uses a FIPS-validated cryptographic module to generate cryptographic hashes. If the UEM server does not use a FIPS-validated cryptographic module to generate cryptographic hashes, this is a finding.
Configure the UEM server to use a FIPS-validated cryptographic module to generate cryptographic hashes.
Verify the UEM server, at a minimum, off-loads audit logs of interconnected systems in real time and off-load standalone systems weekly. If the UEM server does not off-load audit logs of interconnected systems in real time and off-load standalone systems weekly, this is a finding.
Configure the UEM server to, at a minimum, off-load audit logs of interconnected systems in real time and off-load standalone systems weekly.
Verify the UEM server is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If the UEM server is not configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs, this is a finding.
Configure the UEM server in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
Verify the UEM server allows authorized administrators to read all audit data from audit records on the server. If the UEM server does not allow authorized administrators to read all audit data from audit records on the server, this is a finding.
Configure the UEM server to allow authorized administrators to read all audit data from audit records on the server.
Verify FIPS 140-2 mode has been implemented on the UEM server for all server and agent encryption. If FIPS 140-2 mode has not been implemented on the UEM server for all server and agent encryption, this is a finding.
Configure the UEM server to implement FIPS 140-2 mode for all server and agent encryption.
Verify the UEM server is configured to prohibit client negotiation to TLS 1.1, TLS 1.0, SSL 2.0, or SSL 3.0. If the UEM server is not configured to prohibit client negotiation to TLS 1.1, TLS 1.0, SSL 2.0, or SSL 3.0, this is a finding.
Configure the UEM server to prohibit client negotiation to TLS 1.1, TLS 1.0, SSL 2.0, or SSL 3.0.
Verify the UEM server authenticates endpoint devices (servers) before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based. If the UEM server does not authenticate endpoint devices (servers) before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based, this is a finding.
Configure the UEM server to authenticate endpoint devices (servers) before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based.
Verify cipher suites using pre-shared keys are for device authentication have a minimum security strength of 112 bits or higher. If cipher suites using pre-shared keys are for device authentication do not have a minimum security strength of 112 bits or higher, this is a finding.
If cipher suites using pre-shared keys are used for device authentication, configure the UEM server to have a minimum security strength of 112 bits or higher.
Verify the UEM server validates certificates used for TLS functions by performing RFC 5280-compliant certification path validation. If the UEM server does not validate certificates used for TLS functions by performing RFC 5280-compliant certification path validation, this is a finding.
Configure the UEM server to validate certificates used for Transport Layer Security (TLS) functions by performing RFC 5280-compliant certification path validation.
Verify the UEM server uses FIPS-validated SHA-256 or higher hash function for digital signature generation and verification. If the UEM server does not use FIPS-validated SHA-256 or higher hash function for digital signature generation and verification, this is a finding.
Configure the UEM server to use FIPS-validated SHA-256 or higher hash function for digital signature generation and verification.
Verify the UEM server is signing all policy updates sent to the UEM Agent with validated certificates. If the UEM server is not signing all policy updates sent to the UEM Agent with validated certificates, this is a finding.
Configure the UEM server to sign all policy updates sent to the UEM Agent with validated certificates.
Verify the server is configured to sign policies and policy updates using [selection: an X509 certificate, a public key provisioned to the agent] trusted by the agent for policy verification. If the UEM server is not signing all policy updates using [selection: an X509 certificate, a public key provisioned to the agent] trusted by the agent for policy verification., this is a finding.
Configure the UEM server to sign policies and policy updates using [selection: an X509 certificate, a public key provisioned to the agent] trusted by the agent for policy verification.
Verify the UEM server, for each unique policy managed, validates the policy is appropriate for an agent using [selection: a private key associated with an X509 certificate representing the agent, a token issued by the agent and associated with a policy signing key uniquely associated with the policy]. If the UEM server does not validate the policy is appropriate for an agent using [selection: a private key associated with an X509 certificate representing the agent, a token issued by the agent and associated with a policy signing key uniquely associated with the policy, this is a finding.
Configure the IUEM server, for each unique policy managed, to validate the policy is appropriate for an agent using [selection: a private key associated with an X509 certificate representing the agent, a token issued by the agent and associated with a policy signing key uniquely associated with the policy].