UCF STIG Viewer Logo

ForeScout CounterACT NDM Security Technical Implementation Guide


Overview

Date Finding Count (38)
2017-09-19 CAT I (High): 3 CAT II (Med): 29 CAT III (Low): 6
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC II - Mission Support Classified)

Finding ID Severity Title
V-76219 High CounterACT appliances performing maintenance functions must restrict use of these functions to authorized personal only.
V-76223 High CounterACT must disable all unnecessary and/or nonsecure plugins.
V-76247 High CounterACT must authenticate SNMPv3 endpoint devices before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based.
V-76215 Medium CounterACT must obtain its public key certificates from an appropriate certificate policy through an approved service provider.
V-76231 Medium If any logs are stored locally which are not sent to the centralized audit server, CounterACT must back up audit records at least every seven days onto a different system or system component than the system or component being audited.
V-76235 Medium CounterACT must enforce password complexity by requiring that at least one special character be used.
V-76237 Medium CounterACT must sent audit logs to a centralized audit server (i.e., syslog server).
V-76213 Medium CounterACT must obtain its public key certificates from an appropriate certificate policy through an approved service provider.
V-76217 Medium CounterACT must enable Threat Protection notifications to alert security personnel to Cyber events detected by a CounterACT IAW CJCSM 6510.01B.
V-76259 Medium CounterACT must compare internal information systems clocks at least every 24 hours with an authoritative time server.
V-76241 Medium CounterACT must be configured to synchronize internal information system clocks with the organizations primary and secondary NTP servers.
V-76193 Medium For the local account, CounterACT must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.
V-76197 Medium CounterACT must enforce password complexity by requiring that at least one numeric character be used.
V-76199 Medium CounterACT must enforce a 60-day maximum password lifetime restriction.
V-76233 Medium CounterACT must limit privileges to change the software resident within software libraries.
V-76227 Medium CounterACT must terminate all network connections associated with an SSH connection session upon Exit, session disconnection, or after 10 minutes of inactivity, except where prevented by documented and validated mission requirements.
V-76243 Medium CounterACT must restrict the ability to change the auditing to be performed within the system log based on selectable event criteria to the audit administrators role or to other roles or individuals.
V-76253 Medium The network device must terminate shared/group account credentials when members leave the group.
V-76221 Medium CounterACT must employ automated mechanisms to centrally apply authentication settings.
V-76209 Medium CounterACT must support organizational requirements to conduct backups of system-level information contained in the information system when changes occur or weekly, whichever is sooner.
V-76225 Medium CounterACT must terminate all network connections associated with an Enterprise Manager Console session upon Exit, or session disconnection, or after 10 minutes of inactivity, except where prevented by documented and validated mission requirements.
V-76205 Medium CounterACT must enforce access restrictions associated with changes to the system components.
V-76245 Medium CounterACT must authenticate any endpoint used for network management before establishing a local, remote, and/or network connection using cryptographically based bidirectional authentication.
V-76251 Medium CounterACT must automatically lock the account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes are exceeded.
V-76201 Medium CounterACT must prohibit password reuse for a minimum of five generations.
V-76203 Medium CounterACT must enforce a minimum 15-character password length.
V-76249 Medium In the event the authentication server is unavailable, one local account must be created for use as the account of last resort.
V-76239 Medium CounterACT must record time stamps for audit records that can be mapped to Coordinated Universal Time (UTC).
V-76265 Medium If multifactor authentication is not supported and passwords must be used, CounterACT must enforce password complexity by requiring that at least one lower-case character be used.
V-76263 Medium If multifactor authentication is not supported and passwords must be used, CounterACT must enforce password complexity by requiring that at least one upper-case character be used.
V-76229 Medium CounterACT must allow only authorized administrators to view or change the device configuration, system files, and other files stored either in the device or on removable media.
V-76261 Medium Administrative accounts for device management must be configured on the authentication server and not the network device itself (except for the account of last resort).
V-76211 Low CounterACT must support organizational requirements to conduct backups of information system documentation, including security-related documentation, when changes occur or weekly, whichever is sooner.
V-76195 Low CounterACT must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the device.
V-76257 Low CounterACT must retain the Standard Mandatory DoD Notice and Consent Banner on the screen until the administrator acknowledges the usage conditions and takes explicit actions to log on for further access.
V-76255 Low The network device must be configured to use a centralized authentication server to authenticate privileged users for remote and nonlocal access for device management.
V-76207 Low CounterACT must generate audit log events for a locally developed list of auditable events.
V-76267 Low CounterACT must limit the number of concurrent sessions to an organization-defined number for each administrator account type.