UCF STIG Viewer Logo

Cisco IOS XE Release 3 NDM Security Technical Implementation Guide


Overview

Date Finding Count (64)
2018-12-20 CAT I (High): 2 CAT II (Med): 47 CAT III (Low): 15
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC II - Mission Support Classified)

Finding ID Severity Title
V-74009 High The Cisco IOS XE router must have a single local account that will only be used as an account of last resort with full access to the network device.
V-73963 High The Cisco IOS XE router must use an authentication server for the purpose of granting administrative access.
V-73971 Medium The Cisco IOS XE router must enforce approved authorizations for controlling the flow of management information within the router based on information flow control policies.
V-73973 Medium The Cisco IOS XE router must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.
V-73975 Medium The Cisco IOS XE router must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the device.
V-73977 Medium The Cisco IOS XE router must retain the Standard Mandatory DoD Notice and Consent Banner on the screen until the administrator acknowledges the usage conditions and takes explicit actions to log on for further access.
V-74059 Medium If the Cisco IOS XE router uses mandatory access control, the Cisco IOS XE router must enforce organization-defined mandatory access control policies over all subjects and objects.
V-74011 Medium The Cisco IOS XE router must enforce a minimum 15-character password length.
V-74063 Medium The Cisco IOS XE router must generate audit records when successful/unsuccessful attempts to delete administrator privileges occur.
V-74061 Medium The Cisco IOS XE router must generate audit records when successful/unsuccessful attempts to modify administrator privileges occur.
V-74049 Medium The Cisco IOS XE router must record time stamps for audit records that meet a granularity of one second for a minimum degree of precision.
V-74007 Medium The Cisco IOS XE router must be configured to prohibit the use of all unnecessary or non-secure ports, protocols, or services.
V-74065 Medium The Cisco IOS XE router must generate audit records when successful/unsuccessful logon attempts occur.
V-74053 Medium Applications used for nonlocal maintenance sessions must implement cryptographic mechanisms to protect the integrity of nonlocal maintenance and diagnostic communications.
V-74045 Medium The Cisco IOS XE router must be configured to synchronize internal information system clocks with the primary and secondary time sources located in different geographic regions using redundant authoritative time sources.
V-74047 Medium The Cisco IOS XE router must record time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).
V-74041 Medium The Cisco IOS XE router must compare internal information system clocks at least every 24 hours with an authoritative time server.
V-74069 Medium The Cisco IOS XE router must generate audit records showing starting and ending time for administrator access to the system.
V-74043 Medium The Cisco IOS XE router must synchronize internal information system clocks to the authoritative time source when the time difference is greater than the organization-defined time period.
V-74029 Medium The Cisco IOS XE router must reveal error messages only to authorized individuals (ISSO, ISSM, and SA).
V-74003 Medium The Cisco IOS XE router must use internal system clocks to generate time stamps for audit records.
V-74023 Medium The Cisco IOS XE router must store only encrypted representations of passwords.
V-74021 Medium If multifactor authentication is not supported and passwords must be used, the CCisco IOS XE router must require that when a password is changed, the characters are changed in at least eight of the positions within the password.
V-74083 Medium The Cisco IOS XE router must obtain its public key certificates from an appropriate certificate policy through an approved service provider.
V-74085 Medium The Cisco IOS XE router must be configured to send log data to a syslog server for the purpose of forwarding alerts to the administrators and the ISSO.
V-74087 Medium The Cisco IOS XE router must be configured to send SNMP traps and notifications to the SNMP manager for the purpose of sending alarms and notifying appropriate personnel as required by specific events.
V-74019 Medium If multifactor authentication is not supported and passwords must be used, the Cisco IOS XE router must enforce password complexity by requiring that at least one special character be used.
V-73967 Medium The Cisco IOS XE router must automatically audit account modification.
V-73965 Medium The Cisco IOS XE router must automatically audit account creation.
V-73969 Medium The Cisco IOS XE router must automatically audit account removal.
V-74017 Medium If multifactor authentication is not supported and passwords must be used, the Cisco IOS XE router must enforce password complexity by requiring that at least one numeric character be used.
V-74073 Medium The Cisco IOS XE router must generate audit records for all account creations, modifications, disabling, and termination events.
V-74013 Medium If multifactor authentication is not supported and passwords must be used, the Cisco IOS XE router must enforce password complexity by requiring that at least one upper-case character be used.
V-74077 Medium The Cisco IOS XE router must generate audit log events for a locally developed list of auditable events.
V-74079 Medium Administrative accounts for device management must be configured on the authentication server and not the Cisco IOS XE router itself (except for the emergency administration account).
V-74051 Medium The Cisco IOS XE router must authenticate network management, SNMP, and NTP endpoint devices before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based.
V-74057 Medium The Cisco IOS XE router must protect against or limit the effects of all known types of Denial of Service (DoS) attacks on network device management network by employing organization-defined security safeguards.
V-74055 Medium Applications used for nonlocal maintenance sessions must implement cryptographic mechanisms to protect the confidentiality of nonlocal maintenance and diagnostic communications.
V-73985 Medium The Cisco IOS XE router must generate audit records when successful/unsuccessful attempts to access privileges occur.
V-74039 Medium The Cisco IOS XE router must allocate audit record storage capacity in accordance with organization-defined audit record storage requirements.
V-74071 Medium The Cisco IOS XE router must generate audit records when concurrent logons from different workstations occur.
V-74035 Medium The Cisco IOS XE router must audit the execution of privileged functions.
V-74031 Medium The Cisco IOS XE router must automatically terminate a network administrator session after organization-defined conditions or trigger events requiring session disconnect.
V-74033 Medium The Cisco IOS XE router must automatically audit account enabling actions.
V-74027 Medium The Cisco IOS XE router must terminate all network connections associated with a device management session at the end of the session, or the session must be terminated after 10 minutes of inactivity except to fulfill documented and validated mission requirements.
V-74015 Medium If multifactor authentication is not supported and passwords must be used, the Cisco IOS XE router must enforce password complexity by requiring that at least one lower-case character be used.
V-74067 Medium The Cisco IOS XE router must generate audit records for privileged activities or other system-level access.
V-74025 Medium The Cisco IOS XE router must enforce a 60-day maximum password lifetime restriction.
V-74075 Medium The Cisco IOS XE router must off-load audit records onto a different system or media than the system being audited.
V-73979 Low The Cisco IOS XE router must protect against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation.
V-73999 Low The Cisco IOS XE router must generate audit records containing information that establishes the identity of any individual or process associated with the event.
V-74001 Low The Cisco IOS XE router must generate audit records containing the full-text recording of privileged commands.
V-73997 Low The Cisco IOS XE router must produce audit records that contain information to establish the outcome of the event.
V-73995 Low The Cisco IOS XE router must produce audit log records containing information to establish the source of events.
V-73993 Low The Cisco IOS XE router must produce audit records containing information to establish where the events occurred.
V-73991 Low The Cisco IOS XE router must produce audit records containing information to establish when (date and time) the events occurred.
V-74081 Low The Cisco IOS XE router must support organizational requirements to conduct backups of system level information contained in the information system when changes occur or weekly, whichever is sooner.
V-73961 Low The Cisco IOS XE router must limit the number of concurrent SSH sessions to an organization-defined number.
V-74005 Low The Cisco IOS XE router must off load audit records via syslog so the audit records can be backed up every seven days.
V-73981 Low The Cisco IOS XE router must provide audit record generation capability for DoD-defined auditable events within the router.
V-73983 Low The Cisco IOS XE router must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited.
V-73987 Low The Cisco IOS XE router must initiate session auditing upon startup.
V-73989 Low The Cisco IOS XE router must produce audit log records containing sufficient information to establish what type of event occurred.
V-74037 Low The Cisco IOS XE router must provide the capability for organization-identified individuals or roles to change the auditing to be performed based on all selectable event criteria within near-real-time.