| V-76219 | High | CounterACT appliances performing maintenance functions must restrict use of these functions to authorized personal only. | There are security-related issues arising from software brought into the network device specifically for diagnostic and repair actions (e.g., a software packet sniffer installed on a device to... |
| V-76223 | High | CounterACT must disable all unnecessary and/or nonsecure plugins. | CounterACT is capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational... |
| V-76247 | High | CounterACT must authenticate SNMPv3 endpoint devices before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based. | Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Bidirectional authentication provides stronger safeguards to validate... |
| V-76215 | Medium | CounterACT must obtain its public key certificates from an appropriate certificate policy through an approved service provider. | For user certificates, each organization obtains certificates from an approved, shared service provider, as required by OMB policy. For federal agencies operating a legacy public key... |
| V-76231 | Medium | If any logs are stored locally which are not sent to the centralized audit server, CounterACT must back up audit records at least every seven days onto a different system or system component than the system or component being audited. | Protection of log data includes ensuring log data is not accidentally lost or deleted. Regularly backing up audit records to a different system or onto separate media than the system being audited... |
| V-76235 | Medium | CounterACT must enforce password complexity by requiring that at least one special character be used. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in... |
| V-76237 | Medium | CounterACT must sent audit logs to a centralized audit server (i.e., syslog server). | Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
Off-loading is a common process in information systems with limited audit storage capacity. |
| V-76213 | Medium | CounterACT must obtain its public key certificates from an appropriate certificate policy through an approved service provider. | For user certificates, each organization obtains certificates from an approved, shared service provider, as required by OMB policy. For federal agencies operating a legacy public key... |
| V-76217 | Medium | CounterACT must enable Threat Protection notifications to alert security personnel to Cyber events detected by a CounterACT IAW CJCSM 6510.01B. | CJCSM 6510.01B, "Cyber Incident Handling Program", in subsection e.(6)(c) sets forth requirements for Cyber events detected by an automated system.
By immediately displaying an alarm message,... |
| V-76259 | Medium | CounterACT must compare internal information systems clocks at least every 24 hours with an authoritative time server. | Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when... |
| V-76241 | Medium | CounterACT must be configured to synchronize internal information system clocks with the organizations primary and secondary NTP servers. | The loss of connectivity to a particular authoritative time source will result in the loss of time synchronization (free-run mode) and increasingly inaccurate time stamps on audit events and other... |
| V-76193 | Medium | For the local account, CounterACT must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period. | By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced.
Nonlocal account are configured... |
| V-76197 | Medium | CounterACT must enforce password complexity by requiring that at least one numeric character be used. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in... |
| V-76199 | Medium | CounterACT must enforce a 60-day maximum password lifetime restriction. | Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed at specific intervals.
One method of minimizing this risk is to use complex passwords and... |
| V-76233 | Medium | CounterACT must limit privileges to change the software resident within software libraries. | Changes to any software components of the network device can have significant effects on the overall security of the network. Therefore, only qualified and authorized individuals should be allowed... |
| V-76227 | Medium | CounterACT must terminate all network connections associated with an SSH connection session upon Exit, session disconnection, or after 10 minutes of inactivity, except where prevented by documented and validated mission requirements. | Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port... |
| V-76243 | Medium | CounterACT must restrict the ability to change the auditing to be performed within the system log based on selectable event criteria to the audit administrators role or to other roles or individuals. | If authorized individuals do not have the ability to modify auditing parameters in response to a changing threat environment, the organization may not be able to effectively respond, and important... |
| V-76253 | Medium | The network device must terminate shared/group account credentials when members leave the group. | A shared/group account credential is a shared form of authentication that allows multiple individuals to access the network device using a single account. If shared/group account credentials are... |
| V-76221 | Medium | CounterACT must employ automated mechanisms to centrally apply authentication settings. | The use of authentication servers or other centralized management servers for providing centralized authentication services is required for network device management. Maintaining local... |
| V-76209 | Medium | CounterACT must support organizational requirements to conduct backups of system-level information contained in the information system when changes occur or weekly, whichever is sooner. | System-level information includes default and customized settings and security attributes, including ACLs that relate to the network device configuration, as well as software required for the... |
| V-76225 | Medium | CounterACT must terminate all network connections associated with an Enterprise Manager Console session upon Exit, or session disconnection, or after 10 minutes of inactivity, except where prevented by documented and validated mission requirements. | Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port... |
| V-76205 | Medium | CounterACT must enforce access restrictions associated with changes to the system components. | Changes to the hardware or software components of the network device can have significant effects on the overall security of the network. Therefore, only qualified and authorized individuals... |
| V-76245 | Medium | CounterACT must authenticate any endpoint used for network management before establishing a local, remote, and/or network connection using cryptographically based bidirectional authentication. | Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Bidirectional authentication provides stronger safeguards to validate... |
| V-76251 | Medium | CounterACT must automatically lock the account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes are exceeded. | By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced. Limits are imposed by locking the account. |
| V-76201 | Medium | CounterACT must prohibit password reuse for a minimum of five generations. | Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
To meet password policy requirements, passwords need... |
| V-76203 | Medium | CounterACT must enforce a minimum 15-character password length. | Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to... |
| V-76249 | Medium | In the event the authentication server is unavailable, one local account must be created for use as the account of last resort. | Authentication for administrative (privileged-level) access to the device is required at all times. An account can be created on CounterACT's local database for use in an emergency, such as when... |
| V-76239 | Medium | CounterACT must record time stamps for audit records that can be mapped to Coordinated Universal Time (UTC). | If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis.
Time stamps generated by the application include date and time.... |
| V-76265 | Medium | If multifactor authentication is not supported and passwords must be used, CounterACT must enforce password complexity by requiring that at least one lower-case character be used. | Some devices may not have the need to provide a group authenticator; this is considered a matter of device design. In those instances where the device design includes the use of a group... |
| V-76263 | Medium | If multifactor authentication is not supported and passwords must be used, CounterACT must enforce password complexity by requiring that at least one upper-case character be used. | Use of a complex passwords helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in... |
| V-76229 | Medium | CounterACT must allow only authorized administrators to view or change the device configuration, system files, and other files stored either in the device or on removable media. | This protection is required to prevent unauthorized alteration, corruption, or disclosure of information when not stored directly on the network device.
Files on the network device or on... |
| V-76261 | Medium | Administrative accounts for device management must be configured on the authentication server and not the network device itself (except for the account of last resort). | The use of authentication servers or other centralized management servers for providing centralized authentication services is required for network device management. Maintaining local... |
| V-76211 | Low | CounterACT must support organizational requirements to conduct backups of information system documentation, including security-related documentation, when changes occur or weekly, whichever is sooner. | Information system backup is a critical step in maintaining data assurance and availability. Information system and security-related documentation contains information pertaining to system... |
| V-76195 | Low | CounterACT must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the device. | Display of the DoD-approved use notification before granting access to CounterACT ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive... |
| V-76257 | Low | CounterACT must retain the Standard Mandatory DoD Notice and Consent Banner on the screen until the administrator acknowledges the usage conditions and takes explicit actions to log on for further access. | The administrator must acknowledge the banner prior to CounterACT allowing the administrator access to CounterACT. This provides assurance that the administrator has seen the message and accepted... |
| V-76255 | Low | The network device must be configured to use a centralized authentication server to authenticate privileged users for remote and nonlocal access for device management. | The use of authentication servers or other centralized management servers for providing centralized authentication services is required for network device management. Maintaining local... |
| V-76207 | Low | CounterACT must generate audit log events for a locally developed list of auditable events. | Auditing and logging are key components of any security architecture. Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity... |
| V-76267 | Low | CounterACT must limit the number of concurrent sessions to an organization-defined number for each administrator account type. | Network device management includes the ability to control the number of administrators and management sessions that manage a device. Limiting the number of allowed administrators and sessions per... |
