|Any publicly accessible connection to SSMC must display the Standard Mandatory DOD Notice and Consent Banner before granting access to the system.
|Display of a standardized and approved use notification before granting access to the publicly accessible operating system ensures privacy and security notification verbiage used is consistent...
|SSMC must allocate audit record storage capacity to store at least one weeks' worth of audit records, when audit records are not immediately sent to a central audit record storage facility.
|In order to ensure operating systems have a sufficient storage capacity in which to write the audit logs, operating systems need to be able to allocate audit record storage capacity.
The task of...
|SSMC must prevent nonprivileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
|Preventing nonprivileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or...
|SSMC must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system.
|Display of a standardized and approved use notification before granting access to SSMC ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive...
|SSMC must employ strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions.
|If maintenance tools are used by unauthorized personnel, they may accidentally or intentionally damage or compromise the system. The act of managing systems and applications includes the ability...
|SSMC must enforce a minimum 15-character password length.
|The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised.
Password complexity, or strength, is a measure of the...
|SSMC must enforce a delay of at least four seconds between logon prompts following a failed logon attempt.
|Limiting the number of logon attempts over a certain time interval reduces the chances that an unauthorized user may gain access to an account.
|SSMC must be configured to offload logs to a SIEM that is configured to alert the ISSO or SA when the local built-in admin account (ssmcadmin) is accessed.
|Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security...
|SSMC must generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.
| Any operating system providing too much information in error messages risks compromising the data and security of the structure, and content of error messages needs to be carefully considered by...
|For PKI-based authentication, SSMC must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.
|Without path validation, an informed trust decision by the relying party cannot be made when presented with any certificate not already explicitly trusted.
A trust anchor is an authoritative...
|SSMC must synchronize internal information system clocks to the authoritative time source when the time difference is greater than one second.
|Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when...
|SSMC must terminate all network connections associated with a communications session at the end of the session, or as follows: for in-band management sessions (privileged sessions), the session must be terminated after 10 minutes of inactivity.
|Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port...
|SSMC must provide audit record generation capability for DOD-defined auditable events for all operating system components.
|Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
|SSMC must enforce the limit of three consecutive invalid logon attempts by a nonadministrative user.
|By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by...