| V-255237 | Medium | Any publicly accessible connection to SSMC must display the Standard Mandatory DOD Notice and Consent Banner before granting access to the system. | Display of a standardized and approved use notification before granting access to the publicly accessible operating system ensures privacy and security notification verbiage used is consistent... |
| V-255250 | Medium | SSMC must allocate audit record storage capacity to store at least one weeks' worth of audit records, when audit records are not immediately sent to a central audit record storage facility. | In order to ensure operating systems have a sufficient storage capacity in which to write the audit logs, operating systems need to be able to allocate audit record storage capacity.
The task of... |
| V-255248 | Medium | SSMC must prevent nonprivileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. | Preventing nonprivileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or... |
| V-255238 | Medium | SSMC must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system. | Display of a standardized and approved use notification before granting access to SSMC ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive... |
| V-255239 | Medium | SSMC must employ strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions. | If maintenance tools are used by unauthorized personnel, they may accidentally or intentionally damage or compromise the system. The act of managing systems and applications includes the ability... |
| V-255241 | Medium | SSMC must enforce a minimum 15-character password length. | The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised.
Password complexity, or strength, is a measure of the... |
| V-255240 | Medium | SSMC must enforce a delay of at least four seconds between logon prompts following a failed logon attempt. | Limiting the number of logon attempts over a certain time interval reduces the chances that an unauthorized user may gain access to an account. |
| V-255243 | Medium | SSMC must be configured to offload logs to a SIEM that is configured to alert the ISSO or SA when the local built-in admin account (ssmcadmin) is accessed. | Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security... |
| V-255242 | Medium | SSMC must generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries. | Any operating system providing too much information in error messages risks compromising the data and security of the structure, and content of error messages needs to be carefully considered by... |
| V-255245 | Medium | For PKI-based authentication, SSMC must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor. | Without path validation, an informed trust decision by the relying party cannot be made when presented with any certificate not already explicitly trusted.
A trust anchor is an authoritative... |
| V-255244 | Medium | SSMC must synchronize internal information system clocks to the authoritative time source when the time difference is greater than one second. | Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when... |
| V-255247 | Medium | SSMC must terminate all network connections associated with a communications session at the end of the session, or as follows: for in-band management sessions (privileged sessions), the session must be terminated after 10 minutes of inactivity. | Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port... |
| V-255249 | Low | SSMC must provide audit record generation capability for DOD-defined auditable events for all operating system components. | Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Audit... |
| V-255246 | Low | SSMC must enforce the limit of three consecutive invalid logon attempts by a nonadministrative user. | By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by... |
