| V-65483 ||High ||The ArcGIS Server must use a full disk encryption solution to protect the confidentiality and integrity of all information. ||Information at rest refers to the state of information when it is located on a secondary storage device (e.g., disk drive and tape drive) within an organizational information system. Mobile... |
| V-65323 ||High ||The ArcGIS Server must use Windows authentication for supporting account management functions. ||Enterprise environments make application account management challenging and complex. A manual process for account management functions adds the risk of a potential oversight or other error.
| V-65519 ||High ||The ArcGIS Server keystores must only contain certificates of PKI established certificate authorities for verification of protected sessions. ||Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DoD systems or by organizations with insufficient... |
| V-65515 ||High ||The ArcGIS Server Windows authentication must authenticate all endpoint devices before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based. ||Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Bidirectional authentication provides stronger safeguards to validate... |
| V-65385 ||High ||The ArcGIS Server must use Windows authentication to enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. ||To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., networks, web servers, and web... |
| V-65517 ||High ||The ArcGIS Server SSL settings must use NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. ||Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The application must implement cryptographic modules adhering to the higher standards... |
| V-65393 ||High ||The ArcGIS Server must provide audit record generation capability for DoD-defined auditable events within all application components. ||Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one.
| V-65319 ||High ||The ArcGIS Server must protect the integrity of remote access sessions by enabling HTTPS with DoD-approved certificates. ||Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
Remote access is access to DoD nonpublic information systems by an authorized... |
| V-65467 ||High ||The ArcGIS Server must use mechanisms meeting the requirements of applicable federal laws, Executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module. ||Unapproved mechanisms that are used for authentication to the cryptographic module are not verified, and therefore cannot be relied upon to provide confidentiality or integrity and DoD data may be... |
| V-65487 ||Medium ||The ArcGIS Server must reveal error messages only to the ISSO, ISSM, and SA. ||Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the application.... |
| V-65485 ||Medium ||The ArcGIS Server must be configured such that emergency accounts are never automatically removed or disabled. ||Emergency accounts are administrator accounts which are established in response to crisis situations where the need for rapid account activation is required. Therefore, emergency account... |
| V-65459 ||Medium ||The ArcGIS Server, when using PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor. ||Without path validation, an informed trust decision by the relying party cannot be made when presented with any certificate not already explicitly trusted.
A trust anchor is an authoritative... |
| V-65477 ||Medium ||The ArcGIS Server must recognize only system-generated session identifiers. ||Applications utilize sessions and session identifiers to control application behavior and user access. If an attacker can guess the session identifier, or can inject or manually insert session... |
| V-65415 ||Medium ||The ArcGIS Server must be configured to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments. ||In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must... |
| V-65413 ||Medium ||The ArcGIS Server must be configured to disable non-essential capabilities. ||It is detrimental for applications to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked... |
| V-65499 ||Medium ||The ArcGIS Server must enforce access restrictions associated with changes to application configuration. ||Failure to provide logical access restrictions associated with changes to application configuration may have significant effects on the overall security of the system.
When dealing with access... |
| V-65503 ||Medium ||The organization must disable organization-defined functions, ports, protocols, and services within the ArcGIS Server deemed to be unnecessary and/or nonsecure. ||In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must... |
| V-65569 ||Medium ||The ArcGIS Server must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. ||Configuring the application to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security... |
| V-65509 ||Medium ||The ArcGIS Server must accept and electronically verify Personal Identity Verification (PIV) credentials. ||The use of PIV credentials facilitates standardization and reduces the risk of unauthorized access.
DoD has mandated the use of the CAC to support identity management and personal authentication... |
| V-65429 ||Medium ||The ArcGIS Server must implement replay-resistant authentication mechanisms for network access to privileged accounts and non-privileged accounts. ||A replay attack may enable an unauthorized user to gain access to the application. Authentication sessions between the authenticator and the application validating the user credentials must not be... |
| V-65407 ||Medium ||The ArcGIS Server must protect audit information from any type of unauthorized read access, modification or deletion. ||If audit data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult if not impossible to achieve. In... |
| V-65521 ||Medium ||The ArcGIS Server must maintain a separate execution domain for each executing process. ||Applications can maintain separate execution domains for each executing process by assigning each process a separate address space. Each process has a distinct address space so that communication... |