UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Cisco ASA NDM Security Technical Implementation Guide


Overview

Date Finding Count (48)
2023-09-13 CAT I (High): 7 CAT II (Med): 41 CAT III (Low): 0
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC I - Mission Critical Public)

Finding ID Severity Title
V-239931 High The Cisco ASA must be configured to implement cryptographic mechanisms using a FIPS 140-2 approved algorithm to protect the confidentiality of remote maintenance sessions.
V-239930 High The Cisco ASA must be configured to use FIPS-validated Keyed-Hash Message Authentication Code (HMAC) to protect the integrity of non-local maintenance and diagnostic communications.
V-239911 High The Cisco ASA must be configured to prohibit the use of all unnecessary and/or non-secure functions, ports, protocols, and/or services.
V-239944 High The Cisco ASA must be running an operating system release that is currently supported by Cisco Systems.
V-239940 High The Cisco ASA must be configured to use at least two authentication servers to authenticate users prior to granting administrative access.
V-239943 High The Cisco ASA must be configured to send log data to at least two central log servers for the purpose of forwarding alerts to organization-defined personnel and/or the firewall administrator.
V-239920 High The Cisco ASA must be configured to terminate all network connections associated with a device management session at the end of the session, or the session must be terminated after five minutes of inactivity except to fulfill documented and validated mission requirements.
V-239929 Medium The Cisco ASA must be configured to authenticate Network Time Protocol sources using authentication that is cryptographically based.
V-239903 Medium The Cisco ASA must be configured to protect against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation.
V-239904 Medium The Cisco ASA must be configured to generate audit records when successful/unsuccessful attempts to access privileges occur.
V-239905 Medium The Cisco ASA must be configured to produce audit log records containing sufficient information to establish what type of event occurred.
V-239896 Medium The Cisco ASA must be configured to limit the number of concurrent management sessions to an organization-defined number.
V-239897 Medium The Cisco ASA must be configured to automatically audit account creation.
V-239906 Medium The Cisco ASA must be configured to produce audit records containing information to establish when (date and time) the events occurred.
V-239907 Medium The Cisco ASA must be configured to produce audit records containing information to establish where the events occurred.
V-239898 Medium The Cisco ASA must be configured to automatically audit account modification.
V-239899 Medium The Cisco ASA must be configured to automatically audit account-disabling actions.
V-239919 Medium The Cisco ASA must be configured to require that when a password is changed, the characters are changed in at least eight of the positions within the password.
V-239918 Medium The Cisco ASA must be configured to enforce password complexity by requiring that at least one special character be used.
V-239935 Medium The Cisco ASA must be configured to generate audit records when successful/unsuccessful logon attempts occur.
V-239934 Medium The Cisco ASA must be configured to generate audit records when successful/unsuccessful attempts to delete administrator privileges occur.
V-239937 Medium The Cisco ASA must be configured to generate audit records showing starting and ending time for administrator access to the system.
V-239936 Medium The Cisco ASA must be configured to generate audit records for privileged activities or other system-level access.
V-239913 Medium The Cisco ASA must be configured to implement replay-resistant authentication mechanisms for network access to privileged accounts.
V-239912 Medium The Cisco ASA must be configured with only one local account to be used as the account of last resort in the event the authentication server is unavailable.
V-239910 Medium The Cisco ASA must be configured to generate audit records containing the full-text recording of privileged commands.
V-239917 Medium The Cisco ASA must be configured to enforce password complexity by requiring that at least one numeric character be used.
V-239916 Medium The Cisco ASA must be configured to enforce password complexity by requiring that at least one lowercase character be used.
V-239915 Medium The Cisco ASA must be configured to enforce password complexity by requiring that at least one uppercase character be used.
V-239914 Medium The Cisco ASA must be configured to enforce a minimum 15-character password length.
V-239908 Medium The Cisco ASA must be configured to produce audit log records containing information to establish the source of events.
V-239933 Medium The Cisco ASA must be configured to generate audit records when successful/unsuccessful attempts to modify administrator privileges occur.
V-239927 Medium The Cisco ASA must be configured to authenticate Simple Network Management Protocol (SNMP) messages using a FIPS-validated Keyed-Hash Message Authentication Code (HMAC).
V-239932 Medium The Cisco ASA must be configured to protect against known types of denial-of-service (DoS) attacks by enabling the Threat Detection feature.
V-239909 Medium The Cisco ASA must be configured to produce audit records that contain information to establish the outcome of the event.
V-239941 Medium The Cisco ASA must be configured to conduct backups of system-level information contained in the information system when changes occur.
V-239928 Medium The Cisco ASA must be configured to encrypt Simple Network Management Protocol (SNMP) messages using a FIPS 140-2 approved algorithm.
V-239900 Medium The Cisco ASA must be configured to automatically audit account removal actions.
V-239901 Medium The Cisco ASA must be configured to enforce approved authorizations for controlling the flow of management information within the Cisco ASA based on information flow control policies.
V-239902 Medium The Cisco ASA must be configured to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the device.
V-239925 Medium The Cisco ASA must be configured to record time stamps for audit records that meet a granularity of one second for a minimum degree of precision.
V-239922 Medium The Cisco ASA must be configured to allocate audit record storage capacity in accordance with organization-defined audit record storage requirements.
V-239923 Medium The Cisco ASA must be configured to generate an immediate real-time alert of all audit failure events requiring real-time alerts.
V-239921 Medium The Cisco ASA must be configured to audit the execution of privileged functions.
V-239939 Medium The Cisco ASA must be configured to offload audit records onto a different system or media than the system being audited.
V-239942 Medium The Cisco ASA must be configured to obtain its public key certificates from an appropriate certificate policy through an approved service provider.
V-239938 Medium The Cisco ASA must be configured to generate audit records when concurrent logons from different workstations occur.
V-239924 Medium The Cisco ASA must be configured to synchronize its clock with the primary and secondary time sources using redundant authoritative time sources.