UCF STIG Viewer Logo

Cisco ASA NDM Security Technical Implementation Guide


Overview

Date Finding Count (49)
2022-09-12 CAT I (High): 7 CAT II (Med): 42 CAT III (Low): 0
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC II - Mission Support Public)

Finding ID Severity Title
V-239931 High The Cisco ASA must be configured to implement cryptographic mechanisms using a FIPS 140-2 approved algorithm to protect the confidentiality of remote maintenance sessions.
V-239930 High The Cisco ASA must be configured to use FIPS-validated Keyed-Hash Message Authentication Code (HMAC) to protect the integrity of non-local maintenance and diagnostic communications.
V-239911 High The Cisco ASA must be configured to prohibit the use of all unnecessary and/or non-secure functions, ports, protocols, and/or services.
V-239944 High The Cisco ASA must be running an operating system release that is currently supported by Cisco Systems.
V-239940 High The Cisco ASA must be configured to use an authentication server to authenticate users prior to granting administrative access.
V-239943 High The Cisco ASA must be configured to send log data to a central log server for the purpose of forwarding alerts to organization-defined personnel and/or the firewall administrator.
V-239920 High The Cisco ASA must be configured to terminate all network connections associated with a device management session at the end of the session, or the session must be terminated after 10 minutes of inactivity except to fulfill documented and validated mission requirements.
V-239929 Medium The Cisco ASA must be configured to authenticate Network Time Protocol sources using authentication that is cryptographically based.
V-239903 Medium The Cisco ASA must be configured to protect against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation.
V-239904 Medium The Cisco ASA must be configured to generate audit records when successful/unsuccessful attempts to access privileges occur.
V-239926 Medium The Cisco ASA must be configured to record time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).
V-239905 Medium The Cisco ASA must be configured to produce audit log records containing sufficient information to establish what type of event occurred.
V-239896 Medium The Cisco ASA must be configured to limit the number of concurrent management sessions to an organization-defined number.
V-239897 Medium The Cisco ASA must be configured to automatically audit account creation.
V-239906 Medium The Cisco ASA must be configured to produce audit records containing information to establish when (date and time) the events occurred.
V-239907 Medium The Cisco ASA must be configured to produce audit records containing information to establish where the events occurred.
V-239898 Medium The Cisco ASA must be configured to automatically audit account modification.
V-239899 Medium The Cisco ASA must be configured to automatically audit account-disabling actions.
V-239919 Medium The Cisco ASA must be configured to require that when a password is changed, the characters are changed in at least eight of the positions within the password.
V-239918 Medium The Cisco ASA must be configured to enforce password complexity by requiring that at least one special character be used.
V-239935 Medium The Cisco ASA must be configured to generate audit records when successful/unsuccessful logon attempts occur.
V-239934 Medium The Cisco ASA must be configured to generate audit records when successful/unsuccessful attempts to delete administrator privileges occur.
V-239937 Medium The Cisco ASA must be configured to generate audit records showing starting and ending time for administrator access to the system.
V-239936 Medium The Cisco ASA must be configured to generate audit records for privileged activities or other system-level access.
V-239913 Medium The Cisco ASA must be configured to implement replay-resistant authentication mechanisms for network access to privileged accounts.
V-239912 Medium The Cisco ASA must be configured with only one local account to be used as the account of last resort in the event the authentication server is unavailable.
V-239910 Medium The Cisco ASA must be configured to generate audit records containing the full-text recording of privileged commands.
V-239917 Medium The Cisco ASA must be configured to enforce password complexity by requiring that at least one numeric character be used.
V-239916 Medium The Cisco ASA must be configured to enforce password complexity by requiring that at least one lowercase character be used.
V-239915 Medium The Cisco ASA must be configured to enforce password complexity by requiring that at least one uppercase character be used.
V-239914 Medium The Cisco ASA must be configured to enforce a minimum 15-character password length.
V-239908 Medium The Cisco ASA must be configured to produce audit log records containing information to establish the source of events.
V-239933 Medium The Cisco ASA must be configured to generate audit records when successful/unsuccessful attempts to modify administrator privileges occur.
V-239927 Medium The Cisco ASA must be configured to authenticate Simple Network Management Protocol (SNMP) messages using a FIPS-validated Keyed-Hash Message Authentication Code (HMAC).
V-239932 Medium The Cisco ASA must be configured to protect against known types of Denial of Service (DoS) attacks by enabling the Threat Detection feature.
V-239909 Medium The Cisco ASA must be configured to produce audit records that contain information to establish the outcome of the event.
V-239941 Medium The Cisco ASA must be configured to conduct backups of system-level information contained in the information system when changes occur.
V-239928 Medium The Cisco ASA must be configured to encrypt Simple Network Management Protocol (SNMP) messages using a FIPS 140-2 approved algorithm.
V-239900 Medium The Cisco ASA must be configured to automatically audit account removal actions.
V-239901 Medium The Cisco ASA must be configured to enforce approved authorizations for controlling the flow of management information within the Cisco ASA based on information flow control policies.
V-239902 Medium The Cisco ASA must be configured to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the device.
V-239925 Medium The Cisco ASA must be configured to record time stamps for audit records that meet a granularity of one second for a minimum degree of precision.
V-239922 Medium The Cisco ASA must be configured to allocate audit record storage capacity in accordance with organization-defined audit record storage requirements.
V-239923 Medium The Cisco ASA must be configured to generate an immediate real-time alert of all audit failure events requiring real-time alerts.
V-239921 Medium The Cisco ASA must be configured to audit the execution of privileged functions.
V-239939 Medium The Cisco ASA must be configured to offload audit records onto a different system or media than the system being audited.
V-239942 Medium The Cisco ASA must be configured to obtain its public key certificates from an appropriate certificate policy through an approved service provider.
V-239938 Medium The Cisco ASA must be configured to generate audit records when concurrent logons from different workstations occur.
V-239924 Medium The Cisco ASA must be configured to synchronize its clock with the primary and secondary time sources using redundant authoritative time sources.