UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Firewall Security Requirements Guide


Overview

Date Finding Count (319)
2012-12-10 CAT I (High): 3 CAT II (Med): 171 CAT III (Low): 145
STIG Description
The Firewall Security Requirements Guide (SRG) is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the NIST 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.letterkenny.FSO.mbx.stig-customer-support-mailbox@mail.mil.

Available Profiles



Findings (MAC I - Mission Critical Sensitive)

Finding ID Severity Title
SRG-NET-000063-FW-000045 High The firewall implementation must be configured to use cryptography to protect the integrity of remote access sessions.
SRG-NET-000062-FW-000044 High The firewall implementation must use approved cryptography to protect the confidentiality of remote access sessions.
SRG-NET-999999-FW-000183 High The firewall implementation must restrict traffic destined to the enclave perimeter in accordance with the guidelines contained in DoD Instruction 8551.1 for all ports and protocols required for operational commitments.
SRG-NET-000227-FW-NA Medium The network element must issue public key certificates under an appropriate certificate policy or obtain public key certificates under an appropriate certificate policy from an approved service provider.
SRG-NET-000060-FW-NA Medium The network element must allow the association of security attributes with information by authorized system administrators.
SRG-NET-000272-FW-000159 Medium The firewall implementation must identify and respond to potential security-relevant error conditions.
SRG-NET-000273-FW-000160 Medium The firewall implementation must generate error messages providing information necessary for corrective actions without revealing organizationally defined sensitive or potentially harmful information in error logs and administrative messages that could be exploited.
SRG-NET-000132-FW-000081 Medium The firewall implementation must be configured to prohibit or restrict the use of organizationally defined functions, ports, protocols, and/or services.
SRG-NET-000311-FW-NA Medium The network element must provide additional data origin and integrity artifacts along with the authoritative data the system returns in response to name/address resolution queries.
SRG-NET-000023-FW-000022 Medium The firewall implementation must enforce security policies regarding information on interconnected systems.
SRG-NET-000191-FW-000117 Medium The firewall implementation must protect against or limit the effects of Denial of Service (DoS) attacks.
SRG-NET-000154-FW-000093 Medium The firewall implementation must prohibit password reuse for the organizationally defined number of generations.
SRG-NET-000069-FW-NA Medium The network element must protect wireless access to the network using authentication.
SRG-NET-000267-FW-000154 Medium The firewall implementation must verify the correct operation of security functions, in accordance with organizationally defined conditions and frequency.
SRG-NET-000258-FW-NA Medium The network element must prevent non-privileged users from circumventing intrusion detection and prevention capabilities.
SRG-NET-000161-FW-000100 Medium The firewall implementation must enforce password encryption for transmission.
SRG-NET-000186-FW-000113 Medium The firewall implementation must isolate security functions used to enforce access and information flow control from both non-security functions and from other security functions.
SRG-NET-000120-FW-000075 Medium The firewall implementation must use automated mechanisms to support auditing of the enforcement actions.
SRG-NET-000139-FW-000085 Medium The firewall implementation must use multifactor authentication for network access to privileged accounts.
SRG-NET-000200-FW-0000124 Medium The firewall implementation must enforce strict adherence to protocol format.
SRG-NET-000070-FW-NA Medium The network element must protect wireless access to the network using encryption.
SRG-NET-000071-FW-NA Medium The network element must monitor for unauthorized connections of mobile devices to information systems.
SRG-NET-000244-FW-000152 Medium The firewall implementation must employ malicious code protection mechanisms to detect and block malicious code at the network perimeter.
SRG-NET-000163-FW-000102 Medium The firewall implementation must enforce maximum password lifetime restrictions.
SRG-NET-000190-FW-000116 Medium The firewall implementation must prevent unauthorized and unintended information transfer via shared system resources.
SRG-NET-000150-FW-NA Medium The network element must authenticate devices before establishing wireless network connections using bidirectional authentication between cryptographically based devices.
SRG-NET-000280-FW-000164 Medium The firewall implementation must enforce information flow control on metadata.
SRG-NET-000164-FW-NA Medium The network element must validate certificates used for PKI-based authentication by constructing a certification path with status information to an accepted trust anchor.
SRG-NET-000253-FW-NA Medium The network element must only update malicious code protection mechanisms when directed by a privileged user.
SRG-NET-000014-FW-000014 Medium The firewall implementation must be configured to dynamically manage account privileges and associated access authorizations.
SRG-NET-000260-FW-NA Medium The network element must take an organizationally defined list of least-disruptive actions to terminate suspicious events.
SRG-NET-000192-FW-000118 Medium The firewall implementation must restrict the ability of users to launch DoS attacks against other information systems or networks.
SRG-NET-000193-FW-000119 Medium The firewall implementation must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of DoS attacks.
SRG-NET-000269-FW-000156 Medium The firewall implementation must provide notification of failed automated security tests.
SRG-NET-000251-FW-NA Medium The network element must automatically update malicious code protection mechanisms and rule definitions.
SRG-NET-000021-FW-000020 Medium The firewall implementation must allow authorized administrators to enable/disable organizationally defined security policy filters.
SRG-NET-000144-FW-000088 Medium The firewall implementation must enforce multifactor authentication for network access to privileged accounts where one of the factors is provided by a device separate from the firewall being accessed.
SRG-NET-000266-FW-NA Medium The network element must detect rogue wireless devices, attack attempts, and potential compromises or breaches to the wireless network.
SRG-NET-000040-FW-000035 Medium The firewall implementation must automatically lock an account after the maximum number of unsuccessful login attempts are exceeded and remain locked for an organizationally defined time period or until released by an administrator.
SRG-NET-000199-FW-000123 Medium The firewall implementation must prevent discovery of specific system components or devices comprising a managed interface.
SRG-NET-000067-FW-000049 Medium The firewall implementation must disable use of organizationally defined networking protocols (on the firewall) deemed nonsecure, except for explicitly identified components in support of specific operational requirements.
SRG-NET-000177-FW-NA Medium The network element must enforce identification and authentication for the establishment of non-local maintenance and diagnostic sessions.
SRG-NET-000125-FW-NA Medium The network element must employ automated mechanisms to centrally manage configuration settings.
SRG-NET-000250-FW-NA Medium The network element must address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system.
SRG-NET-000103-FW-NA Medium The network element must protect audit tools from unauthorized deletion.
SRG-NET-000204-FW-000128 Medium The firewall implementation must monitor and enforce filtering of internal addresses posing a threat to external information systems.
SRG-NET-000035-FW-NA Medium The network element must audit the use of privileged accounts when accessing configuration and operational commands enabled for non-privileged accounts.
SRG-NET-000151-FW-000091 Medium The firewall implementation must authenticate devices before establishing network connections using bidirectional authentication between cryptographically based devices.
SRG-NET-000028-FW-NA Medium The network element must implement security policies for all traffic flows by using security zones at various protection levels as a basis for flow control decisions.
SRG-NET-000264-FW-NA Medium The network element must analyze outbound communications traffic at selected interior points within the network as deemed necessary to discover anomalies.
SRG-NET-000072-FW-NA Medium The network element must enforce requirements for the connection of mobile devices to organizational information systems.
SRG-NET-000129-FW-NA Medium The network element must ensure detected unauthorized security-relevant configuration changes are tracked.
SRG-NET-000246-FW-NA Medium The network element must update malicious code protection mechanisms and signature definitions whenever new releases are available in accordance with organizational configuration management policy and procedures.
SRG-NET-000064-FW-000046 Medium The firewall implementation must route all remote access traffic through managed access control points.
SRG-NET-000201-FW-000125 Medium The firewall implementation must prevent access into the organization's internal networks except as explicitly permitted and controlled by employing boundary protection devices.
SRG-NET-000127-FW-NA Medium The network element must employ automated mechanisms to centrally verify configuration settings.
SRG-NET-000162-FW-000101 Medium The firewall implementation must enforce minimum password lifetime restrictions.
SRG-NET-000134-FW-NA Medium The network element must employ automated mechanisms to detect the addition of unauthorized components or devices.
SRG-NET-000265-FW-NA Medium The network element must detect attack attempts to the wireless network.
SRG-NET-000225-FW-NA Medium The network element must associate security attributes with information exchanged between information systems.
SRG-NET-999999-FW-000175 Medium The firewall implementation must have only one local account created for use when the network is not available or direct access on the device is needed.
SRG-NET-000026-FW-000024 Medium The firewall implementation must uniquely identify destination domains for information transfer.
SRG-NET-000057-FW-NA Medium The network element must dynamically reconfigure security attributes in accordance with an identified security policy as information is created and combined.
SRG-NET-000065-FW-000047 Medium The firewall implementation must monitor for unauthorized remote connections to specific information systems on an organizationally defined frequency.
SRG-NET-000068-FW-000050 Medium The firewall implementation must enforce requirements for remote connections to the network.
SRG-NET-000213-FW-000135 Medium The firewall implementation must terminate the connection associated with a communications session at the end of the session or after an organizationally defined time period of inactivity.
SRG-NET-000187-FW-000114 Medium The firewall implementation must implement an isolation boundary to minimize the number of non-security functions included within the boundary containing security functions.
SRG-NET-999999-FW-000176 Medium The firewall implementation must be configured to use two or more authentication servers for the purpose of granting administrative access.
SRG-NET-999999-FW-000174 Medium The firewall implementation must reject requests for access or services when the source address received by the firewall specifies a loopback address.
SRG-NET-000181-FW-000111 Medium The firewall implementation must be configured to detect the presence of unauthorized software on organizational information systems.
SRG-NET-000184-FW-000112 Medium The firewall implementation must isolate security functions from non-security functions.
SRG-NET-000168-FW-000104 Medium The firewall implementation must use NIST-validated FIPS 140-2 cryptography to implement authentication encryption mechanisms.
SRG-NET-999999-FW-000179 Medium The firewall implementation must inspect ingress and egress SMTP and Extended SMTP traffic to detect spam, phishing, and malformed message attacks.
SRG-NET-000033-FW-000029 Medium The firewall implementation must enforce information flow control using organizationally defined security policy filters as a basis for flow control decisions.
SRG-NET-000015-FW-000015 Medium The firewall implementation must enforce approved authorizations for logical access to the firewall in accordance with applicable policy.
SRG-NET-000261-FW-NA Medium The network element must protect information obtained from intrusion monitoring tools from unauthorized access, modification, and deletion.
SRG-NET-000203-FW-000127 Medium The firewall implementation must route organizationally defined internal communications traffic to organizationally defined external networks through authenticated proxy servers within the managed interfaces of boundary protection devices.
SRG-NET-000210-FW-000133 Medium The firewall implementation must protect the confidentiality of transmitted information.
SRG-NET-000232-FW-000145 Medium The firewall implementation must generate a unique session identifier for each session.
SRG-NET-000037-FW-000032 Medium The firewall implementation must be configured to automatically disable the monitored device if any of the organizationally defined lists of security violations are detected.
SRG-NET-000189-FW-000115 Medium The firewall implementation must implement security functions as a layered structure minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers.
SRG-NET-000030-FW-000026 Medium All encrypted traffic must be decrypted prior to passing through content inspection and filtering mechanisms.
SRG-NET-000160-FW-000099 Medium The firewall implementation must enforce password encryption for storage.
SRG-NET-000234-FW-000147 Medium The firewall implementation must generate unique session identifiers with organizationally defined randomness requirements.
SRG-NET-000263-FW-NA Medium The network element must analyze outbound traffic at the external boundary of the network.
SRG-NET-000058-FW-NA Medium The network element must allow the change of security attributes by authorized administrators.
SRG-NET-000167-FW-000103 Medium The firewall implementation must obscure feedback of authentication information during the authentication process to protect the information from possible use by unauthorized individuals.
SRG-NET-000288-FW-000167 Medium The firewall implementation must prevent the download of prohibited mobile code.
SRG-NET-000308-FW-000170 Medium The firewall implementation must employ FIPS-validated or NSA-approved cryptography to implement digital signatures.
SRG-NET-000029-FW-000025 Medium The firewall implementation must enforce dynamic traffic flow control based on policy that allows/disallows information flows based on changing threat conditions or operational environment.
SRG-NET-999999-FW-000186 Medium The firewall implementation must generate application log records for success or failure of firewall rules as determined by the organization to be relevant to the security of the network infrastructure.
SRG-NET-000027-FW-NA Medium The network element must uniquely authenticate destination domains for information transfer.
SRG-NET-000197-FW-NA Medium The network element must isolate organizationally defined key information security tools, mechanisms, and support components from other internal information system components via physically separate subnets.
SRG-NET-000122-FW-000077 Medium The firewall implementation must enforce a two-person rule for changes to organizationally defined information system components and system-level information.
SRG-NET-000228-FW-000141 Medium The firewall implementation must implement detection and inspection mechanisms to identify unauthorized mobile code.
SRG-NET-000133-FW-000082 Medium The firewall implementation must employ automated mechanisms to prevent program execution in accordance with organizationally defined specifications.
SRG-NET-000016-FW-NA Medium The network element must enforce dual authorization based on organizational policies and procedures for organizationally defined privileged commands.
SRG-NET-999999-FW-000178 Medium The firewall implementation must inspect inbound and outbound DNS traffic for protocol conformance.
SRG-NET-000310-FW-000171 Medium The firewall implementation must initiate session audits at system start-up.
SRG-NET-000025-FW-NA Medium The network element must uniquely authenticate source domains for information transfer.
SRG-NET-000131-FW-000080 Medium The firewall implementation must not have unnecessary services and capabilities enabled.
SRG-NET-000259-FW-NA Medium The network element must notify an organizationally defined list of incident response personnel of suspicious events.
SRG-NET-999999-FW-000200 Medium The firewall implementation must protect application log information from unauthorized read access.
SRG-NET-999999-FW-000201 Medium The firewall implementation must protect the application log information from unauthorized modification.
SRG-NET-999999-FW-000202 Medium The firewall implementation must protect application logs from unauthorized deletion.
SRG-NET-000231-FW-000144 Medium The firewall implementation must invalidate session identifiers upon user logout or other session termination.
SRG-NET-000257-FW-NA Medium The network element must provide near real-time alerts when any of the organizationally defined list of compromise or potential compromise indicators occur.
SRG-NET-000119-FW-000074 Medium The firewall implementation must use automated mechanisms to enforce access restrictions.
SRG-NET-000287-FW-000166 Medium The firewall implementation must support organizational requirements to disable the user identifiers after an organizationally defined time period of inactivity.
SRG-NET-000175-FW-NA Medium The network element must protect non-local maintenance sessions by separating the maintenance session from other network sessions with the device, by using either physically separated communications paths, or logically separated communications paths based upon encryption.
SRG-NET-000153-FW-000092 Medium The firewall implementation must enforce minimum password length.
SRG-NET-000031-FW-000027 Medium The firewall implementation must enforce organizationally defined limitations on the embedding of data types within other data types.
SRG-NET-000022-FW-000021 Medium The firewall implementation must provide the capability for a privileged administrator to configure the organizationally defined security policy filters to support different security policies.
SRG-NET-000176-FW-NA Medium The network element must employ cryptographic mechanisms to protect the integrity and confidentiality of non-local maintenance and diagnostic communications.
SRG-NET-000198-FW-000122 Medium The firewall implementation must route all management traffic through a dedicated management interface.
SRG-NET-000018-FW-000017 Medium The firewall implementation must enforce approved authorizations for controlling the flow of information within the system and its components in accordance with applicable policy.
SRG-NET-000128-FW-NA Medium The network element must employ automated mechanisms to respond to unauthorized changes to organizationally defined configuration settings.
SRG-NET-000106-FW-000067 Medium The firewall implementation must use cryptographic mechanisms to protect the integrity of audit log information.
SRG-NET-000286-FW-000165 Medium The firewall implementation must protect the audit records of non-local accesses to privileged accounts and the execution of privileged functions.
SRG-NET-999999-FW-000198 Medium The firewall implementation must be configured to send an alert to designated personnel in the event the application log fails to function.
SRG-NET-000019-FW-000018 Medium The firewall implementation must enforce approved authorizations for controlling the flow of information between interconnected systems in accordance with applicable policy.
SRG-NET-000178-FW-000109 Medium The firewall implementation must terminate all sessions when non-local maintenance is completed.
SRG-NET-999999-FW-000191 Medium The firewall implementation must produce application log records containing sufficient information to establish the source of the event.
SRG-NET-000156-FW-000095 Medium The firewall implementation must enforce password complexity by the number of lower case characters used.
SRG-NET-000195-FW-000121 Medium The firewall implementation must check inbound traffic to ensure the communications are coming from an authorized source and routed to an authorized destination.
SRG-NET-000271-FW-000158 Medium The firewall implementation must detect unauthorized changes to software and information.
SRG-NET-000219-FW-000137 Medium The firewall implementation must employ cryptographic protections using cryptographic modules complying with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
SRG-NET-000224-FW-000139 Medium The firewall implementation must protect the integrity and availability of publicly available information and applications.
SRG-NET-000038-FW-000033 Medium The firewall implementation must enforce the organizationally defined maximum number of consecutive invalid login attempts.
SRG-NET-000165-FW-NA Medium The network element must enforce authorized access to the corresponding private key for PKI-based authentication.
SRG-NET-000211-FW-000134 Medium The firewall implementation must employ cryptographic mechanisms to prevent unauthorized disclosure of information during transmission, unless otherwise protected by alternative physical measures.
SRG-NET-000214-FW-000136 Medium The firewall implementation must establish a trusted communications path between the user and organizationally defined security functions within the information system.
SRG-NET-000312-FW-000172 Medium The firewall implementation must check the validity of data inputs.
SRG-NET-000313-FW-000173 Medium The firewall implementation must only reveal error messages to authorized personnel.
SRG-NET-000170-FW-000105 Medium The firewall implementation must employ automated mechanisms to assist in the tracking of security incidents.
SRG-NET-000118-FW-000073 Medium The firewall implementation must enforce access restrictions associated with changes to the system components.
SRG-NET-000123-FW-000078 Medium The firewall implementation must limit privileges to change software resident within software libraries, including privileged programs.
SRG-NET-000158-FW-000097 Medium The firewall implementation must enforce password complexity by the number of special characters used.
SRG-NET-000174-FW-000108 Medium The firewall implementation must protect non-local maintenance sessions through the use of multifactor authentication which is tightly bound to the user.
SRG-NET-000141-FW-000086 Medium The firewall implementation must use multifactor authentication for local access to privileged accounts.
SRG-NET-999999-FW-000182 Medium The firewall implementation must reject requests for access or services when the source IP address specifies a loopback address.
SRG-NET-999999-FW-000181 Medium The firewall implementation must inspect inbound and outbound HTTP traffic for protocol conformance.
SRG-NET-999999-FW-000180 Medium The firewall implementation must drop FTP connections containing harmful or malformed traffic.
SRG-NET-999999-FW-000187 Medium The firewall implementation must prevent log processing failures by rejecting or delaying network traffic generated above configurable traffic volume thresholds as defined by the organization.
SRG-NET-000239-FW-000151 Medium The firewall implementation must employ cryptographic mechanisms to prevent unauthorized disclosure of information at rest.
SRG-NET-999999-FW-000184 Medium A firewall located behind the premise router must be configured to block all outbound management traffic.
SRG-NET-000143-FW-000087 Medium The firewall implementation must support the organizational requirement to ensure individuals are authenticated with an individual authenticator prior to using a group authenticator.
SRG-NET-000152-FW-NA Medium The network element must dynamically manage identifiers, attributes, and associated access authorizations.
SRG-NET-000208-FW-000132 Medium The firewall implementation must use cryptographic mechanisms to protect the integrity of information while in transit, unless otherwise protected by alternative physical measures.
SRG-NET-000032-FW-000028 Medium The firewall implementation must enforce organizationally defined one-way traffic flows.
SRG-NET-000172-FW-000106 Medium The firewall implementation must use automated mechanisms to restrict the use of maintenance tools to authorized personnel only.
SRG-NET-000039-FW-000034 Medium The firewall implementation must enforce the organizationally defined time period over which the number of invalid login attempts are counted.
SRG-NET-000146-FW-000089 Medium The firewall implementation must use organizationally defined replay-resistant authentication mechanisms for network access to privileged accounts.
SRG-NET-000207-FW-000131 Medium The firewall implementation must protect the integrity of transmitted information.
SRG-NET-000229-FW-000142 Medium The firewall implementation must take corrective action when unauthorized mobile code is identified.
SRG-NET-000226-FW-000140 Medium The firewall implementation must validate the integrity of security attributes exchanged between information systems.
SRG-NET-000059-FW-NA Medium The network element must maintain the binding of security attributes to information with sufficient assurance that the information to attribute association can be used as the basis for automated policy actions.
SRG-NET-000180-FW-000110 Medium The firewall implementation must employ cryptographic mechanisms to protect information in storage.
SRG-NET-000002-FW-000002 Medium The firewall implementation must automatically terminate temporary accounts after an organizationally defined time period for each type of account.
SRG-NET-000121-FW-000076 Medium The firewall implementation must prevent the installation of organizationally defined critical software programs not signed with an organizationally approved private key.
SRG-NET-000020-FW-000019 Medium The firewall implementation must enforce information flow control using explicit security attributes on information, source, and destination objects as a basis for flow control decisions.
SRG-NET-000194-FW-000120 Medium The firewall implementation must limit the use of resources by priority.
SRG-NET-000279-FW-000163 Medium The firewall implementation must prevent access to organizationally defined security-relevant information except during secure, non-operable system states.
SRG-NET-000124-FW-000079 Medium The firewall implementation must automatically implement organizationally defined safeguards and countermeasures if security functions or mechanisms are changed inappropriately.
SRG-NET-000024-FW-000023 Medium The firewall implementation must uniquely identify source domains for information transfer.
SRG-NET-000256-FW-NA Medium The network element must monitor inbound and outbound communications for unusual or unauthorized activities or conditions.
SRG-NET-000205-FW-000129 Medium The firewall implementation must monitor and control traffic at both the external and internal boundary interfaces.
SRG-NET-000220-FW-000138 Medium The firewall implementation must employ FIPS-validated cryptography to protect unclassified information.
SRG-NET-000166-FW-NA Medium The network element must map the authenticated identity to the user account for PKI-based authentication.
SRG-NET-000233-FW-000146 Medium The firewall implementation must allow only system generated session identifiers.
SRG-NET-000249-FW-000153 Medium The firewall implementation must be configured to perform organizationally defined actions in response to malicious code detection.
SRG-NET-000268-FW-000155 Medium The firewall implementation must respond to security function anomalies in accordance with organizationally defined responses and alternative actions.
SRG-NET-000289-FW-NA Medium The network element must prevent the execution of prohibited mobile code.
SRG-NET-000061-FW-000043 Medium The firewall implementation must employ automated mechanisms to facilitate the monitoring and control of remote access methods.
SRG-NET-000149-FW-NA Low The network element must authenticate devices before establishing remote network connections using bidirectional authentication between cryptographically based devices.
SRG-NET-000278-FW-NA Low The network element must display security attributes in human readable form on each object output from the system to system output devices to identify an organizationally identified set of special dissemination, handling, or distribution instructions using organizationally identified human readable, standard naming conventions.
SRG-NET-000247-FW-NA Low The network element must employ malicious code protection mechanisms to perform periodic monitoring of the information system on an organizationally defined frequency.
SRG-NET-000303-FW-NA Low The network element must perform data origin authentication and data integrity verification on all resolution responses received whether or not local client systems explicitly request this service.
SRG-NET-000252-FW-NA Low The network element must prevent non-privileged users from circumventing malicious code protection capabilities.
SRG-NET-000006-FW-000006 Low The firewall implementation must notify the appropriate individuals when accounts are created.
SRG-NET-000212-FW-NA Low The network element must maintain the confidentiality of information during aggregation, packaging, and transformation in preparation for transmission.
SRG-NET-000100-FW-000066 Low The firewall implementation must protect audit logs from unauthorized deletion.
SRG-NET-000282-FW-NA Low The network element must decompose information into policy-relevant subcomponents for submission to policy enforcement mechanisms when transferring information between different security domains.
SRG-NET-000245-FW-NA Low The network element must employ malicious code protection mechanisms at workstations, servers, or mobile computing devices on the network to detect and eradicate malicious code transported by electronic mail, electronic mail attachments, web accesses, removable media, or other common means or inserted through the exploitation of information system vulnerabilities.
SRG-NET-000281-FW-NA Low The network element must identify information flows by data type specification and usage when transferring information between different security domains.
SRG-NET-000078-FW-000055 Low The firewall implementation must produce audit log records containing sufficient information to determine if the event was a success or failure.
SRG-NET-000096-FW-000062 Low The firewall implementation must use internal system clocks to generate timestamps for audit records.
SRG-NET-000003-FW-000003 Low The firewall implementation must automatically terminate emergency accounts after an organizationally defined time period.
SRG-NET-000237-FW-NA Low The network element must include components that proactively seek to identify web based malicious code.
SRG-NET-000090-FW-NA Low The network element must integrate audit review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities.
SRG-NET-000138-FW-NA Low The network element must enforce the identification and authentication of all organizational users.
SRG-NET-000093-FW-NA Low Audit log reduction must be enabled on the network element.
SRG-NET-000255-FW-NA Low The network element must interconnect and configure individual intrusion detection tools into a system-wide intrusion detection system using common protocols.
SRG-NET-000241-FW-NA Low The network element must protect the integrity of information during the processes of data aggregation, packaging, and transformation in preparation for transmission.
SRG-NET-000094-FW-NA Low The network element must provide a report generation capability for the audit log.
SRG-NET-000102-FW-NA Low The network element must protect audit tools from unauthorized modification.
SRG-NET-000290-FW-NA Low The network element must prevent the automatic execution of mobile code in organizationally defined software applications and require organizationally defined actions prior to executing the code.
SRG-NET-000262-FW-NA Low The network element must ensure all encrypted traffic is visible to network monitoring tools.
SRG-NET-000041-FW-000036 Low The firewall implementation must display an approved system use notification message (or banner) before granting access to the system.
SRG-NET-000157-FW-000096 Low The firewall implementation must enforce password complexity by the number of numeric characters used.
SRG-NET-000110-FW-NA Low The network element must compile audit records from multiple components into a system-wide audit trail that is time-correlated to within an organizationally defined level of tolerance for the relationship between timestamps of individual records in the audit trail.
SRG-NET-999999-FW-000190 Low The firewall implementation must produce application log records containing sufficient information to establish where the events occurred.
SRG-NET-000009-FW-000009 Low The firewall implementation must automatically audit account disabling actions.
SRG-NET-000087-FW-NA Low The network element must reject or delay network traffic generated above configurable traffic volume thresholds, as defined by the organization.
SRG-NET-000008-FW-000008 Low The firewall implementation must notify the organizationally identified individuals when accounts are modified.
SRG-NET-000171-FW-NA Low The network element must invoke a system shutdown in the event of a log failure, unless an alternative audit capability exists.
SRG-NET-000084-FW-NA Low The network element must provide a warning when the logging storage capacity reaches an organizationally defined percentage of maximum allocated audit record storage capacity.
SRG-NET-000113-FW-000070 Low The firewall implementation must provide audit record generation capability for organizationally defined auditable events occurring within the firewall.
SRG-NET-000088-FW-000060 Low The firewall implementation must be configured to send an alert to designated personnel in the event of an audit processing failure.
SRG-NET-000196-FW-NA Low The network element must implement host based boundary protection mechanisms.
SRG-NET-000083-FW-NA Low The network element logging function must be configured to reduce the likelihood of audit log record capacity being exceeded.
SRG-NET-000011-FW-000011 Low The firewall implementation must automatically audit account termination.
SRG-NET-000242-FW-NA Low The network element must be configured to automatically check for security updates to the application software on an organizationally defined frequency.
SRG-NET-000095-FW-NA Low The network element must provide the capability to automatically process audit log records for events of interest based upon selectable event criteria.
SRG-NET-000285-FW-NA Low The network element must prohibit the transfer of unsanctioned information in accordance with the security policy when transferring information between different security domains.
SRG-NET-000001-FW-000001 Low The firewall implementation must provide automated support for account management functions.
SRG-NET-000105-FW-NA Low The network element must backup system level audit event log records on an organizationally defined frequency onto a different system or media.
SRG-NET-000140-FW-NA Low The network element must use multifactor authentication for network access to non-privileged accounts.
SRG-NET-000221-FW-NA Low The network element must employ NSA-approved cryptography to protect classified information.
SRG-NET-000236-FW-000149 Low The firewall implementation must preserve organizationally defined system state information in the event of a system failure.
SRG-NET-000056-FW-NA Low The network element must support and maintain the binding of organizationally defined security attributes to information in transmission.
SRG-NET-000081-FW-000058 Low The firewall implementation must transmit audit events to the organization's central audit log server.
SRG-NET-000091-FW-NA Low The network element must centralize the review and analysis of audit records from multiple network elements within the network.
SRG-NET-000243-FW-NA Low The network element must be configured to implement automated patch management tools to facilitate flaw remediation to network components.
SRG-NET-000050-FW-NA Low The network element must notify the user of the number of successful login attempts occurring during an organizationally defined time period.
SRG-NET-000049-FW-000040 Low Upon successful login, the firewall implementation must notify the user of the number of unsuccessful login attempts since the last successful login.
SRG-NET-000218-FW-NA Low The network element must produce, control, and distribute asymmetric cryptographic keys using approved PKI Class 3 or Class 4 certificates and hardware security tokens that protect the user's private key.
SRG-NET-000073-FW-NA Low The network element must be configured to disable functionality that provides the capability for automatic execution of code on mobile devices without user direction.
SRG-NET-999999-FW-000177 Low The firewall implementation must implement NAT to ensure endpoint internal IPv4 addresses are not visible to external untrusted networks.
SRG-NET-000254-FW-NA Low The network element must not allow users to introduce removable media into the information system.
SRG-NET-000066-FW-000048 Low The firewall implementation must audit remote sessions for accessing an organizationally defined list of security functions and security-relevant information.
SRG-NET-000085-FW-000059 Low The firewall implementation must provide a real-time alert when organizationally defined audit failure events occur.
SRG-NET-000142-FW-NA Low The network element must use multifactor authentication for local access to non-privileged accounts.
SRG-NET-000079-FW-000056 Low The firewall implementation must capture and log sufficient information to establish the identity of user accounts associated with the audit event.
SRG-NET-000183-FW-NA Low The network element must prevent the presentation of information system management-related functionality at an interface for general (i.e., non-privileged) users.
SRG-NET-000112-FW-NA Low The network element must produce a system-wide audit trail composed of log records in a standardized format.
SRG-NET-000004-FW-000004 Low The firewall implementation must automatically disable inactive accounts after an organizationally defined time period of inactivity.
SRG-NET-000092-FW-NA Low The network element must use automated mechanisms to alert security personnel to an organizationally defined list of inappropriate or unusual activities with security implications.
SRG-NET-000080-FW-000057 Low The firewall implementation must capture and log organizationally defined additional information (identified by type, location, or subject) to the audit records for audit events.
SRG-NET-000309-FW-NA Low The network element must protect against unauthorized physical connections across the boundary protections implemented at an organizationally defined list of managed interfaces.
SRG-NET-000005-FW-000005 Low The firewall implementation must automatically audit the creation of accounts.
SRG-NET-000053-FW-000042 Low The firewall implementation must limit the number of concurrent sessions for each account to an organizationally defined number.
SRG-NET-999999-FW-000203 Low The firewall implementation must backup application log records at an organizationally defined frequency onto a different system or media.
SRG-NET-000202-FW-000126 Low The firewall implementation must deny network traffic by default and allow network traffic by exception at all interfaces at the network perimeter.
SRG-NET-000054-FW-NA Low The network element implementation must support and maintain the binding of organizationally defined security attributes to information in storage.
SRG-NET-000305-FW-NA Low The network element that collectively provides name/address resolution service for an organization must implement internal/external role separation.
SRG-NET-000304-FW-NA Low The network element that collectively provides name/address resolution service for an organization must be fault-tolerant.
SRG-NET-000115-FW-000072 Low The firewall implementation must generate audit log events for a locally developed list of auditable events.
SRG-NET-000284-FW-NA Low The network element must detect unsanctioned information when transferring information between different security domains.
SRG-NET-000043-FW-000038 Low The firewall implementation must display a DoD-approved system use notification message or banner before granting access to the device.
SRG-NET-000147-FW-NA Low The network element must use organizationally defined replay-resistant authentication mechanisms for network access to non-privileged accounts.
SRG-NET-000052-FW-NA Low The network element must notify the user of organizationally defined security related changes to the user's account occurring during the organizationally defined time period.
SRG-NET-000145-FW-NA Low The network element must enforce multifactor authentication for network access to non-privileged accounts where one of the factors is provided by a device separate from the firewall being accessed.
SRG-NET-000082-FW-NA Low The network element must allocate audit record storage capacity.
SRG-NET-000179-FW-NA Low The network element must use cryptographic mechanisms to protect and restrict access to information on portable digital media.
SRG-NET-999999-FW-000195 Low The firewall implementation must allocate firewall application log record storage capacity.
SRG-NET-000048-FW-000039 Low Upon successful login, the firewall implementation must notify the user of the date and time of the last login.
SRG-NET-000099-FW-000065 Low The firewall implementation must protect audit log information from unauthorized modification.
SRG-NET-000159-FW-000098 Low The firewall implementation must enforce the number of characters changed when passwords are changed.
SRG-NET-000055-FW-NA Low The network element must support and maintain the binding of organizationally defined security attributes to information in process.
SRG-NET-000089-FW-000061 Low The firewall implementation must be capable of taking organizationally defined actions upon audit failure.
SRG-NET-000137-FW-000084 Low The firewall implementation must support organizational requirements to conduct backups of information system documentation, including security-related documentation, per an organizationally defined frequency that is consistent with recovery time and recovery point objectives.
SRG-NET-000306-FW-000168 Low The firewall implementation must enforce a Discretionary Access Control (DAC) policy that limits propagation of access rights.
SRG-NET-000126-FW-NA Low The network element must employ automated mechanisms to centrally apply configuration settings.
SRG-NET-000036-FW-000031 Low The firewall implementation must provide finer-grained allocation of account privileges through the use of separate processing domains.
SRG-NET-000012-FW-000012 Low The firewall implementation must notify the organizationally identified individuals for account termination.
SRG-NET-000222-FW-NA Low The network element must employ FIPS-validated cryptography to protect information when such information must be separated from individuals who have the necessary clearances yet lack the necessary access approvals.
SRG-NET-000010-FW-000010 Low The firewall implementation must notify the organizationally identified individuals when the account has been disabled.
SRG-NET-999999-FW-000192 Low The firewall implementation must produce application log records containing sufficient information to determine if the event was a success or failure.
SRG-NET-999999-FW-000193 Low The firewall implementation must capture and log sufficient information to establish the identity of any user accounts associated with the firewall application event.
SRG-NET-999999-FW-000194 Low The firewall implementation must capture and log organizationally defined additional information (identified by type, location, or subject) to the records for firewall application events.
SRG-NET-000230-FW-000143 Low The firewall implementation must provide mechanisms to protect the authenticity of communications sessions.
SRG-NET-999999-FW-000196 Low The firewall implementation application event logging function must reduce the likelihood of log record capacity being exceeded.
SRG-NET-999999-FW-000197 Low The firewall implementation must provide a warning when the application event logging storage capacity reaches an organizationally defined maximum capacity.
SRG-NET-000248-FW-NA Low The network element must be configured to perform real-time monitoring of files from external sources as they are downloaded and prior to being opened or executed.
SRG-NET-000148-FW-000090 Low The firewall implementation must authenticate an organizationally defined list of specific devices by device type before establishing a connection.
SRG-NET-000215-FW-NA Low The network element must produce, control, and distribute symmetric cryptographic keys, using NIST-approved key management technology and processes.
SRG-NET-000098-FW-000064 Low The firewall implementation must protect audit log information from unauthorized read access.
SRG-NET-000270-FW-000157 Low The firewall implementation must provide automated support for the management of distributed security testing.
SRG-NET-000173-FW-000107 Low The firewall implementation must log non-local maintenance and diagnostic sessions.
SRG-NET-000114-FW-000071 Low The firewall implementation must allow designated organizational personnel to select which auditable events are to be audited by specific components of the system.
SRG-NET-000307-FW-000169 Low The firewall implementation must enforce a DAC policy that includes or excludes access to the granularity of a single user.
SRG-NET-000007-FW-000007 Low The firewall implementation must automatically audit account modification.
SRG-NET-000235-FW-000148 Low The firewall implementation must fail to an organizationally defined known state for organizationally defined types of failures.
SRG-NET-000302-FW-NA Low The network element must perform data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources when requested by client systems.
SRG-NET-000301-FW-NA Low The network element must provide the means to indicate the security status of child subspaces and (if the child supports secure resolution services) enable verification of a chain of trust among parent and child domains.
SRG-NET-000209-FW-NA Low The network element must maintain the integrity of information during aggregation and encapsulation in preparation for transmission.
SRG-NET-000017-FW-000016 Low The firewall implementation must implement organizationally defined nondiscretionary access control policies over organizationally defined users and resources.
SRG-NET-000076-FW-000053 Low The firewall implementation must produce audit log records containing sufficient information to establish where the events occurred.
SRG-NET-000283-FW-NA Low The network element must implement policy filters that constrain data structure and content to organizationally defined information security policy requirements when transferring information between different security domains.
SRG-NET-000101-FW-NA Low The network element must protect audit tools from unauthorized access.
SRG-NET-000034-FW-000030 Low The firewall implementation must implement separation of duties through assigned information system access authorizations.
SRG-NET-000217-FW-NA Low The network element must produce, control, and distribute asymmetric cryptographic keys using approved PKI Class 3 certificates or prepositioned keying material.
SRG-NET-000135-FW-NA Low The network element must support organizational requirements to conduct backups of user level information contained in the device per organizationally defined frequency that is consistent with recovery time and recovery point objectives.
SRG-NET-999999-FW-000188 Low The firewall implementation must produce application event log records that contain sufficient information to establish what type of event occurred.
SRG-NET-000300-FW-NA Low The network element must provide the means to indicate the security status of child subspaces and (if the child supports secure resolution services) enable verification of a chain of trust among parent and child domains when operating as part of a distribution.
SRG-NET-000206-FW-0000130 Low The firewall implementation must connect to external networks only through managed interfaces consisting of boundary protection devices arranged in accordance with organizational security architecture.
SRG-NET-999999-FW-000185 Low The firewall implementation must be configured to log any attempt to a port, protocol, or service that is denied.
SRG-NET-000075-FW-000052 Low The firewall implementation must produce audit log records containing sufficient information to establish when the events occurred.
SRG-NET-000277-FW-000162 Low The firewall implementation must disable network access by unauthorized devices and must log the information as a security violation.
SRG-NET-000155-FW-000094 Low The firewall implementation must enforce password complexity by the number of upper case characters used.
SRG-NET-000097-FW-000063 Low The firewall implementation must synchronize internal system clocks on an organizationally defined frequency with an organizationally defined authoritative time source.
SRG-NET-000104-FW-NA Low The network element must produce audit records on hardware-enforced write-once media.
SRG-NET-999999-FW-000189 Low The firewall implementation must produce application event log records containing sufficient information to establish when the events occurred.
SRG-NET-999999-FW-000199 Low The firewall implementation must be configured to stop generating application log records or overwrite the oldest log records when a log failure occurs.
SRG-NET-000051-FW-000041 Low The firewall implementation must notify the user of the number of unsuccessful login attempts occurring during an organizationally defined time period.
SRG-NET-000042-FW-000037 Low The firewall implementation must display the notification message on the screen until the administrator takes explicit action to acknowledge the message.
SRG-NET-000182-FW-NA Low The network element must separate user functionality (including user interface services) from information system management functionality.
SRG-NET-000136-FW-000083 Low The firewall implementation must support organizational requirements to conduct backups of system level information contained in the information system per organizationally defined frequency.
SRG-NET-000074-FW-000051 Low The firewall implementation must produce audit log records that contain sufficient information to establish what type of event occurred.
SRG-NET-000274-FW-000161 Low The firewall implementation must activate an organizationally defined alarm when a system component failure is detected.
SRG-NET-000238-FW-000150 Low The firewall implementation must protect the confidentiality and integrity of system information at rest.
SRG-NET-000108-FW-000069 Low The firewall must protect against an individual falsely denying having performed a particular action.
SRG-NET-000013-FW-000013 Low The firewall implementation must monitor for unusual usage of accounts.
SRG-NET-000077-FW-000054 Low The firewall implementation must produce audit log records containing sufficient information to establish the source of the event.
SRG-NET-000216-FW-NA Low The network element must produce, control, and distribute symmetric and asymmetric cryptographic keys using NSA-approved key management technology and processes.
SRG-NET-000107-FW-000068 Low The firewall implementation must use cryptography to protect the integrity of audit tools.
SRG-NET-000086-FW-NA Low The network element must enforce configurable traffic volume thresholds representing audit logging capacity for network traffic to be logged.
SRG-NET-000169-FW-NA Low The network element must uniquely identify and authenticate non-organizational users or processes acting on behalf of non-organizational users.