| V-71371 | Medium | The CA API Gateway must invalidate session identifiers upon user logout or other session termination. | Captured sessions can be reused in "replay" attacks. This requirement limits the ability of adversaries from capturing and continuing to employ previously valid session IDs.
Session IDs are... |
| V-71315 | Medium | The CA API Gateway that provides intermediary services for TLS must be configured to comply with the required TLS settings in NIST SP 800-52. | SP 800-52 provides guidance on using the most secure version and configuration of the TLS/SSL protocol. Using older unauthorized versions or incorrectly configuring protocol negotiation makes the... |
| V-71375 | Medium | The CA API Gateway providing content filtering must integrate with an ICAP-enabled Intrusion Detection System that updates malicious code protection mechanisms and signature definitions whenever new releases are available in accordance with organizational configuration management policy and procedures. | Malicious code protection mechanisms include, but are not limited to, antivirus and malware detection software. In order to minimize any potential negative impact to the organization caused by... |
| V-71377 | Medium | The CA API Gateway providing content filtering must be configured to perform real-time scans of files from external sources at network entry/exit points as they are downloaded and prior to being opened or executed. | Malicious code includes viruses, worms, trojan horses, and spyware. The code provides the ability for a malicious user to read from and write to files and folders on a computer's hard drive.... |
| V-71367 | Medium | The CA API Gateway must detect, at a minimum, mobile code that is unsigned or exhibiting unusual behavior, has not undergone a risk assessment, or is prohibited for use based on a risk assessment. | Mobile code is defined as software modules obtained from remote systems, transferred across a network, and then downloaded and executed on a local system without explicit installation or execution... |
| V-71353 | Medium | The CA API Gateway providing user authentication intermediary services must restrict user authentication traffic to specific authentication server(s). | User authentication can be used as part of the policy filtering rule sets. Some URLs or network resources can be restricted to authenticated users only. Users are prompted by the application or... |
| V-71351 | Medium | The CA API Gateway providing user access control intermediary services must be configured with a pre-established trust relationship and mechanisms with appropriate authorities (e.g., Active Directory or AAA server) that validate user account access authorizations and privileges. | User account and privilege validation must be centralized in order to prevent unauthorized access using changed or revoked privileges.
ALGs can implement functions such as traffic filtering,... |
| V-71357 | Medium | The CA API Gateway providing user authentication intermediary services must implement replay-resistant authentication mechanisms for network access to non-privileged accounts. | A replay attack may enable an unauthorized user to gain access to the application. Authentication sessions between the authenticator and the application validating the user credentials must not be... |
| V-71355 | Medium | The ALG providing user authentication intermediary services must use multifactor authentication for network access to non-privileged accounts. | To assure accountability and prevent unauthenticated access, non-privileged users must utilize multifactor authentication to prevent potential misuse and compromise of the system.
Multifactor... |
| V-71461 | Medium | The ALG providing content filtering must generate an alert to, at a minimum, the ISSO and ISSM when new active propagation of malware infecting
DoD systems or malicious code adversely affecting the operations and/or security
of DoD systems is detected. | Without an alert, security personnel may be unaware of major detection incidents that require immediate action, and this delay may result in the loss or compromise of information.
The ALG... |
| V-71359 | Medium | The CA API Gateway providing PKI-based user authentication intermediary services must map authenticated identities to the user account. | Authorization for access to any network element requires an approved and assigned individual account identifier. To ensure only the assigned individual is using the account, the account must be... |
| V-71339 | Medium | The CA API Gateway must protect audit information from unauthorized deletion. | If audit data becomes compromised, forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve.
To ensure the veracity of audit data, the... |
| V-71443 | Medium | The CA API Gateway providing content filtering must protect against known and unknown types of Denial of Service (DoS) attacks by employing rate-based attack prevention behavior analysis. | If the network does not provide safeguards against DoS attacks, network resources will be unavailable to users.
Installation of content filtering gateways and application layer firewalls at key... |
| V-71335 | Medium | The CA API Gateway must generate audit records containing information to establish the identity of any individual or process associated with the event. | Without information that establishes the identity of the subjects (i.e., users or processes acting on behalf of users) associated with the events, security personnel cannot determine... |
| V-71441 | Medium | The CA API Gateway providing user authentication intermediary services using PKI-based user authentication must only accept end entity certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs) for the establishment of protected sessions. | Non-DoD-approved PKIs have not been evaluated to ensure that they have security controls and identity vetting procedures in place that are sufficient for DoD systems to rely on the identity... |
| V-71373 | Medium | The CA API Gateway must generate unique session identifiers using a FIPS 140-2 approved random number generator. | Sequentially generated session IDs can be easily guessed by an attacker. Employing the concept of randomness in the generation of unique session identifiers helps to protect against brute-force... |
| V-71447 | Medium | The CA API Gateway must only allow incoming communications from organization-defined authorized sources routed to organization-defined authorized destinations. | Unrestricted traffic may contain malicious traffic that poses a threat to an enclave or to other connected networks. Additionally, unrestricted traffic may transit a network, which uses bandwidth... |
| V-71333 | Medium | The CA API Gateway must produce audit records containing information to establish the outcome of the events. | Without information about the outcome of events, security personnel cannot make an accurate assessment as to whether an attack was successful or if changes were made to the security state of the... |
| V-71299 | Medium | The CA API Gateway providing intermediary services for remote access communications traffic must use encryption services that implement NIST FIPS-validated cryptography to protect the confidentiality of remote access sessions. | Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session.
Remote access is access to DoD nonpublic information... |
| V-71337 | Medium | The CA API Gateway must protect audit information from unauthorized read access. | Auditing and logging are key components of any security architecture. Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity... |
| V-71449 | Medium | The CA API Gateway must behave in a predictable and documented manner that reflects organizational and system objectives when invalid inputs are received. | A common vulnerability of network elements is unpredictable behavior when invalid inputs are received. This requirement guards against adverse or unintended system behavior caused by invalid... |
| V-71429 | Medium | The CA API Gateway providing user authentication intermediary services must require users to reauthenticate when organization-defined circumstances or situations require reauthentication. | Without reauthentication, users may access resources or perform tasks for which they do not have authorization.
In addition to the reauthentication requirements associated with session locks,... |
| V-71399 | Medium | To protect against data mining, the CA API Gateway providing content filtering must prevent SQL injection attacks launched against data storage objects, including, at a minimum, databases, database records, and database fields. | Data mining is the analysis of large quantities of data to discover patterns and is used in intelligence gathering. Failure to prevent attacks launched against organizational information from... |
| V-71293 | Medium | The CA API Gateway providing user access control intermediary services for publicly accessible applications must display the Standard Mandatory DoD-approved Notice and Consent Banner before granting access to the system. | Display of a standardized and approved use notification before granting access to the publicly accessible network element ensures privacy and security notification verbiage used is consistent with... |
| V-71397 | Medium | To protect against data mining, the CA API Gateway providing content filtering must prevent code injection attacks launched against application objects including, at a minimum, application URLs and application code. | Data mining is the analysis of large quantities of data to discover patterns and is used in intelligence gathering. Failure to prevent attacks launched against organizational information from... |
| V-71291 | Medium | The CA API Gateway providing user access control intermediary services must retain the Standard Mandatory DoD-approved Notice and Consent Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access. | The banner must be acknowledged by the user prior to allowing the user access to the network. This provides assurance that the user has seen the message and accepted the conditions for access. If... |
| V-71395 | Medium | To protect against data mining, the CA API Gateway providing content filtering must prevent code injection attacks from being launched against data storage objects, including, at a minimum, databases, database records, queries, and fields. | Data mining is the analysis of large quantities of data to discover patterns and is used in intelligence gathering. Failure to prevent attacks launched against organizational information from... |
| V-71393 | Medium | The CA API Gateway providing intermediary services for remote access communications traffic must control remote access methods. | Remote access devices, such as those providing remote access to network devices and information systems, that lack automated control capabilities increase risk and makes remote user access... |
| V-71295 | Medium | The CA API Gateway providing user access control intermediary services must limit users to two concurrent sessions. | Network element management includes the ability to control the number of users and user sessions that utilize a network element. Limiting the number of current sessions per user is helpful in... |
| V-71391 | Medium | The CA API Gateway providing content filtering must prevent the download of prohibited mobile code. | Mobile code is defined as software modules obtained from remote systems, transferred across a network, and then downloaded and executed on a local system without explicit installation or execution... |
| V-71325 | Medium | The CA API Gateway providing intermediary services for remote access communications traffic must use NIST FIPS-validated cryptography to protect the integrity of remote access sessions. | Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
Remote access is access to DoD-nonpublic information systems by an authorized user... |
| V-71307 | Medium | The CA API Gateway that stores secret or private keys must use FIPS-approved key management technology and processes in the production and control of private/secret cryptographic keys. | Private key data is used to prove the entity presenting a public key certificate is the certificate's rightful owner. Compromise of private key data allows an adversary to impersonate the key... |
| V-71379 | Medium | The CA API Gateway providing content filtering must block malicious code upon detection. | Taking an appropriate action based on local organizational incident handling procedures minimizes the impact of malicious code on the network.
The CA API Gateway must be configured to integrate... |
| V-71487 | Medium | The CA API Gateway providing encryption intermediary services must use NIST FIPS-validated cryptography to implement encryption services. | Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The network element must implement cryptographic modules adhering to the higher standards... |
| V-71445 | Medium | The CA API Gateway must implement load balancing to limit the effects of known and unknown types of Denial of Service (DoS) attacks. | If the network does not provide safeguards against DoS attacks, network resources will be unavailable to users. Load balancing provides service redundancy, which reduces the susceptibility of the... |
| V-71467 | Medium | The CA API Gateway must reveal error messages only to the ISSO, ISSM, and SCA. | Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can give configuration details about... |
| V-71347 | Medium | The CA API Gateway must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services as defined in the PPSM CAL and vulnerability assessments. | In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must... |
| V-71481 | Medium | The CA API Gateway providing user access control intermediary services must automatically terminate a user session when organization-defined conditions or trigger events that require a session disconnect occur. | Automatic session termination addresses the termination of user-initiated logical sessions in contrast to the termination of network connections that are associated with communications sessions... |
| V-71363 | Medium | The CA API Gateway providing content filtering must block outbound traffic containing known and unknown Denial of Service (DoS) attacks to protect against the use of internal information systems to launch any DoS attacks against other networks or endpoints. | DoS attacks can take multiple forms but have the common objective of overloading or blocking a network or host to deny or seriously degrade performance. If the network does not provide safeguards... |
| V-71361 | Medium | The CA API Gateway providing user authentication intermediary services must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users). | Lack of authentication enables anyone to gain access to the network or possibly a network element that provides opportunity for intruders to compromise resources within the network infrastructure.... |
| V-71349 | Medium | The CA API Gateway providing user authentication intermediary services must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users). | To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system.
Organizational... |
| V-71423 | Medium | To protect against data mining, the CA API Gateway providing content filtering must detect SQL injection attacks launched against data storage objects, including, at a minimum, databases, database records, and database fields. | Data mining is the analysis of large quantities of data to discover patterns and is used in intelligence gathering. Failure to detect attacks launched against organizational databases may result... |
| V-71365 | Medium | The CA API Gateway must terminate all network connections associated with a Policy Manager session at the end of the session or as follows: for in-band management sessions (privileged sessions), the session must be terminated after 10 minutes of inactivity within the Policy Manager, and for user sessions simply viewing the contents of Policy Manager or viewing Audit Logs for tracking purposes (non-privileged session), the session must be terminated after 15 minutes of inactivity. | Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port... |
| V-71345 | Medium | The CA API Gateway must be configured to remove or disable unrelated or unneeded application proxy services. | Unrelated or unneeded proxy services increase the attack vector and add excessive complexity to the securing of the ALG. Multiple application proxies can be installed on many ALGs. However, proxy... |
| V-71369 | Medium | The CA API Gateway must protect the authenticity of communications sessions. | Authenticity protection provides protection against man-in-the-middle attacks/session hijacking and the insertion of false information into sessions.
This requirement focuses on communications... |
| V-71489 | Medium | The CA API Gateway must off-load audit records onto a centralized log server in real time. | Off-loading ensures audit information does not get overwritten if the limited audit storage capacity is reached and also protects the audit record in case the system/component being audited is... |
| V-71341 | Medium | The CA API Gateway must protect audit tools from unauthorized access. | Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on... |
| V-71427 | Medium | The CA API Gateway must off-load audit records onto a centralized log server. | Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
Off-loading is a common process in information systems with limited audit storage... |
| V-71343 | Medium | The CA API Gateway must not have unnecessary services and functions enabled. | Information systems are capable of providing a wide variety of functions (capabilities or processes) and services. Some of these functions and services are installed and enabled by default. The... |
| V-71473 | Medium | The CA API Gateway providing encryption intermediary services must implement NIST FIPS-validated cryptography to generate cryptographic hashes. | Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The network element must implement cryptographic modules adhering to the higher standards... |
| V-71471 | Medium | The CA API Gateway providing user access control intermediary services must generate audit records showing starting and ending time for user access to the system. | Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an... |
| V-71475 | Medium | The CA API Gateway providing encryption intermediary services must implement NIST FIPS-validated cryptography for digital signatures. | Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The network element must implement cryptographic modules adhering to the higher standards... |
| V-71455 | Medium | The CA API Gateway providing content filtering must generate a notification on the console when root-level intrusion events that attempt to provide unauthorized privileged access are detected. | Without an alert, security personnel may be unaware of major detection incidents that require immediate action, and this delay may result in the loss or compromise of information.
The ALG... |
| V-71287 | Medium | The CA API Gateway must restrict or block harmful or suspicious communications traffic by controlling the flow of information between interconnected networks based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic. | Information flow control regulates where information is allowed to travel within a network and between interconnected networks. Blocking or restricting detected harmful or suspicious... |
| V-71479 | Medium | The CA API Gateway that provides intermediary services for HTTP must inspect inbound and outbound HTTP traffic for protocol compliance and protocol anomalies. | Application protocol anomaly detection examines application layer protocols such as HTTP to identify attacks based on observed deviations in the normal RFC behavior of a protocol or service. This... |
| V-71451 | Medium | The CA API Gateway providing content filtering must be configured to integrate with a system-wide intrusion detection system. | Without coordinated reporting between separate devices, it is not possible to identify the true scale and possible target of an attack.
Integration of the ALG with a system-wide intrusion... |
| V-71453 | Medium | The CA API Gateway providing content filtering must send an alert to, at a minimum, the ISSO and ISSM when detection events occur. | Without an alert, security personnel may be unaware of major detection incidents that require immediate action, and this delay may result in the loss or compromise of information.
Since these... |
| V-71483 | Medium | The CA API Gateway providing user access control intermediary services must provide a logoff capability for user-initiated communications sessions. | If a user cannot explicitly end a session, the session may remain open and be exploited by an attacker.
However, for some types of interactive sessions, including, for example, remote logon,... |
| V-71381 | Medium | The CA API Gateway providing content filtering must delete or quarantine malicious code in response to malicious code detection. | Taking an appropriate action based on local organizational incident handling procedures minimizes the impact of malicious code on the network.
The ALG must be configured to block all detected... |
| V-71289 | Medium | The CA API Gateway providing user access control intermediary services must display the Standard Mandatory DoD-approved Notice and Consent Banner before granting access to the network. | Display of a standardized and approved use notification before granting access to the network ensures privacy and security notification verbiage used is consistent with applicable federal laws,... |
| V-71383 | Medium | The CA API Gateway providing content filtering must send an immediate (within seconds) alert to the system administrator, at a minimum, in response to malicious code detection. | Without an alert, security personnel may be unaware of an impending failure of the audit capability, which will impede the ability to perform forensic analysis and detect rate-based and other... |
| V-71485 | Medium | The CA API Gateway providing user access control intermediary services must display an explicit logoff message to users indicating the reliable termination of authenticated communications sessions. | If a user cannot explicitly end a session, the session may remain open and be exploited by an attacker; this is referred to as a zombie session. Users need to be aware of whether or not the... |
| V-71385 | Medium | The CA API Gateway providing content filtering must automatically update malicious code protection mechanisms. | The malicious software detection functionality on network elements needs to be constantly updated in order to identify new threats as they are discovered.
All malicious software detection... |
| V-71387 | Medium | The CA API Gateway must generate error messages that provide the information necessary for corrective actions without revealing information that could be exploited by adversaries. | Providing too much information in error messages risks compromising the data and security of the application and system.
Organizations must carefully consider the structure/content of error... |
| V-71439 | Medium | The CA API Gateway providing user authentication intermediary services must conform to Federal Identity, Credential, and Access Management (FICAM) issued profiles. | Without conforming to FICAM-issued profiles, the information system may not be interoperable with FICAM authentication protocols, such as SAML 2.0 and OpenID 2.0.
Use of FICAM-issued profiles... |
| V-71437 | Medium | The CA API Gateway providing user authentication intermediary services using PKI-based user authentication must implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network. | Without configuring a local cache of revocation data, there is the potential to allow access to users who are no longer authorized (users with revoked certificates).
The intent of this... |
| V-71329 | Medium | The CA API Gateway must produce audit records containing information to establish the source of the events. | Without establishing the source of the event, it is impossible to establish, correlate, and investigate the events leading up to an outage or attack. In order to compile an accurate risk... |
| V-71283 | Medium | The CA API Gateway must enforce approved authorizations for logical access to information and system resources by employing identity-based, role-based, and/or attribute-based security policies. | Successful authentication must not automatically give an entity access to an asset or security boundary. The lack of authorization-based access control could result in the immediate compromise and... |
| V-71433 | Medium | The CA API Gateway providing user authentication intermediary services must implement multifactor authentication for remote access to privileged accounts such that one of the factors is provided by a device separate from the system gaining access. | For remote access to privileged accounts, the purpose of requiring a device that is separate from the information system gaining access for one of the factors during multifactor authentication is... |
| V-71285 | Medium | The CA API Gateway must enforce approved authorizations for controlling the flow of information within the network based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic. | Information flow control regulates where information is allowed to travel within a network. The flow of all network traffic must be monitored and controlled so it does not introduce any... |
| V-71431 | Medium | The CA API Gateway providing user authentication intermediary services must implement multifactor authentication for remote access to non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access. | For remote access to non-privileged accounts, the purpose of requiring a device that is separate from the information system gaining access for one of the factors during multifactor authentication... |
| V-71421 | Medium | To protect against data mining, the CA API Gateway providing content filtering must detect code injection attacks from being launched against data storage objects, including, at a minimum, databases, database records, queries, and fields. | Data mining is the analysis of large quantities of data to discover patterns and is used in intelligence gathering. Failure to detect attacks launched against organizational databases may result... |
| V-71389 | Medium | The CA API Gateway providing content filtering must block or restrict detected prohibited mobile code. | Mobile code is defined as software modules obtained from remote systems, transferred across a network, and then downloaded and executed on a local system without explicit installation or execution... |
| V-71463 | Medium | The CA API Gateway providing user authentication intermediary services must transmit only encrypted representations of passwords. | Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily... |
| V-71425 | Medium | To protect against data mining, the CA API Gateway providing content filtering as part of its intermediary services must detect code injection attacks launched against application objects including, at a minimum, application URLs and application code. | Data mining is the analysis of large quantities of data to discover patterns and is used in intelligence gathering. Failure to detect attacks launched against organizational applications may... |
| V-71469 | Medium | The CA API Gateway providing user access control intermediary services must generate audit records when successful/unsuccessful logon attempts occur. | Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an... |
| V-71477 | Medium | The CA API Gateway that provides intermediary services for FTP must inspect inbound and outbound FTP communications traffic for protocol compliance and protocol anomalies. | Application protocol anomaly detection examines application layer protocols such as FTP to identify attacks based on observed deviations in the normal RFC behavior of a protocol or service. This... |
| V-71435 | Medium | The CA API Gateway must prohibit the use of cached authenticators after an organization-defined time period. | If the cached authenticator information is out of date, the validity of the authentication information may be questionable.
This requirement applies to all ALGs that may cache user authenticators... |
| V-71465 | Medium | The CA API Gateway must check the validity of all data inputs except those specifically identified by the organization. | Invalid user input occurs when a user inserts data or characters into an application's data entry fields and the application is unprepared to process that data. This results in unanticipated... |
| V-71457 | Low | The CA API Gateway providing content filtering must generate an alert to, at a minimum, the ISSO and ISSM when user-level intrusions that provide non-privileged access are detected. | Without an alert, security personnel may be unaware of major detection incidents that require immediate action, and this delay may result in the loss or compromise of information.
The ALG... |
| V-71459 | Low | The CA API Gateway providing content filtering must generate an alert to, at a minimum, the ISSO and ISSM when Denial of Service (DoS) incidents are detected. | Without an alert, security personnel may be unaware of major detection incidents that require immediate action, and this delay may result in the loss or compromise of information.
The ALG... |
