UCF STIG Viewer Logo

IBM DataPower Network Device Management Security Technical Implementation Guide


Overview

Date Finding Count (64)
2017-10-05 CAT I (High): 2 CAT II (Med): 56 CAT III (Low): 6
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC II - Mission Support Classified)

Finding ID Severity Title
V-65107 High The DataPower Gateway must terminate all network connections associated with a device management session at the end of the session, or the session must be terminated after 10 minutes of inactivity except to fulfill documented and validated mission requirements.
V-65165 High The DataPower Gateway must use SNMPv3.
V-65075 Medium The DataPower Gateway must protect audit information from any type of unauthorized read access.
V-65097 Medium If multifactor authentication is not supported and passwords must be used, the DataPower Gateway must enforce password complexity by requiring that at least one lower-case character be used.
V-65081 Medium The DataPower Gateway must protect audit tools from unauthorized deletion.
V-65189 Medium The DataPower Gateway must not use 0.0.0.0 as the management IP address.
V-65087 Medium The DataPower Gateway must limit privileges to change the software resident within software libraries.
V-65085 Medium The DataPower Gateway must prevent the installation of patches, service packs, or application components without verification the software component has been digitally signed using a certificate that is recognized and approved by the organization.
V-65183 Medium The DataPower Gateway must support organizational requirements to conduct backups of system level information contained in the information system when changes occur or weekly, whichever is sooner.
V-65089 Medium The DataPower Gateway must have SSH and web management bound to the management interface and Telnet disabled.
V-65181 Medium The DataPower Gateway must employ automated mechanisms to centrally verify authentication settings.
V-65187 Medium The DataPower Gateway must obtain its public key certificates from an appropriate certificate policy through an approved service provider.
V-65185 Medium The DataPower Gateway must employ automated mechanisms to assist in the tracking of security incidents.
V-65103 Medium The DataPower Gateway must map the authenticated identity to the user account for PKI-based authentication.
V-65101 Medium If multifactor authentication is not supported and passwords must be used, the DataPower Gateway must enforce password complexity by requiring that at least one special character be used.
V-65105 Medium The DataPower Gateway must use mechanisms meeting the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.
V-65109 Medium The DataPower Gateway must generate unique session identifiers using a FIPS 140-2 approved random number generator.
V-65175 Medium The DataPower Gateway must generate audit log events for a locally developed list of auditable events.
V-65129 Medium The DataPower Gateway must generate an immediate alert for account enabling actions.
V-65063 Medium The DataPower Gateway must enforce approved authorizations for controlling the flow of management information within DataPower based on information flow control policies.
V-65167 Medium The DataPower Gateway must prohibit the use of cached authenticators after an organization-defined time period.
V-65161 Medium The DataPower Gateway must audit the enforcement actions used to restrict access associated with changes to the device.
V-65067 Medium The DataPower Gateway must retain the Standard Mandatory DoD Notice and Consent Banner on the screen until the administrator acknowledges the usage conditions and takes explicit actions to log on for further access.
V-64981 Medium The DataPower Gateway must enforce the assigned privilege level for each administrator and authorizations for access to all commands relative to the privilege level in accordance with applicable policy for the device.
V-65123 Medium The DataPower Gateway must provide a logout capability for administrator-initiated communication sessions.
V-65169 Medium The IBM DataPower Gateway must only allow the use of protocols that implement cryptographic mechanisms to protect the integrity and confidentiality of management communications.
V-65141 Medium The DataPower Gateway must provide the capability for organization-identified individuals or roles to change the auditing to be performed based on all selectable event criteria within near-real-time.
V-65139 Medium The DataPower Gateway must audit the execution of privileged functions.
V-65157 Medium The DataPower Gateway must implement organization-defined automated security responses if baseline configurations are changed in an unauthorized manner.
V-65077 Medium The DataPower Gateway must protect audit tools from unauthorized access.
V-65163 Medium The DataPower Gateway must require users to re-authenticate when privilege escalation or role changes occur.
V-65069 Medium The DataPower Gateway must provide audit record generation capability for DoD-defined auditable events within DataPower.
V-65093 Medium The DataPower Gateway must prohibit password reuse for a minimum of five generations.
V-65095 Medium If multifactor authentication is not supported and passwords must be used, the DataPower Gateway must enforce password complexity by requiring that at least one upper-case character be used.
V-65121 Medium The DataPower Gateway must automatically terminate a network administrator session after organization-defined conditions or trigger events requiring session disconnect.
V-65099 Medium If multifactor authentication is not supported and passwords must be used, the DataPower Gateway must enforce password complexity by requiring that at least one numeric character be used.
V-65115 Medium The DataPower Gateway must generate alerts that can be forwarded to the administrators and ISSO when accounts are modified.
V-65117 Medium The DataPower Gateway must generate alerts that can be forwarded to the administrators and ISSO when accounts are disabled.
V-65111 Medium The DataPower Gateway must activate a system alert message, send an alarm, and/or automatically shut down when a component failure is detected.
V-65113 Medium The DataPower Gateway must generate alerts that can be forwarded to the administrators and ISSO when accounts are created.
V-65091 Medium The DataPower Gateway must enforce a minimum 15-character password length.
V-65119 Medium The DataPower Gateway must generate alerts that can be forwarded to the administrators and ISSO when accounts are removed.
V-65125 Medium The DataPower Gateway must display an explicit logout message to administrators indicating the reliable termination of authenticated communications sessions.
V-65177 Medium The DataPower Gateway must employ automated mechanisms to centrally manage authentication settings.
V-65153 Medium The DataPower Gateway must be configured to synchronize internal information system clocks with the primary and secondary time sources located in different geographic regions using redundant authoritative time sources.
V-65155 Medium The DataPower Gateway must record time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).
V-65173 Medium The DataPower Gateway must use automated mechanisms to alert security personnel to threats identified by authoritative sources (e.g., CTOs) and in accordance with CJCSM 6510.01B.
V-65135 Medium If the DataPower Gateway uses discretionary access control, the DataPower Gateway must enforce organization-defined discretionary access control policies over defined subjects and objects.
V-65171 Medium The DataPower Gateway must off-load audit records onto a different system or media than the system being audited.
V-65079 Medium The DataPower Gateway must protect audit tools from unauthorized modification.
V-65159 Medium The DataPower Gateway must enforce access restrictions associated with changes to device configuration.
V-65143 Medium The DataPower Gateway must allocate audit record storage capacity in accordance with organization-defined audit record storage requirements.
V-65131 Medium The DataPower Gateway must be compliant with at least one IETF standard authentication protocol.
V-65127 Medium The DataPower Gateway must automatically audit account enabling actions.
V-65137 Medium If the DataPower Gateway uses role-based access control, the DataPower Gateway must enforce role-based access control policies over defined subjects and objects.
V-65073 Medium The DataPower Gateway must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.
V-65179 Medium The DataPower Gateway must employ automated mechanisms to centrally apply authentication settings.
V-65071 Medium The DataPower Gateway must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited.
V-65083 Low The DataPower Gateway must back up audit records at least every seven days onto a different system or system component than the system or component being audited.
V-65065 Low The DataPower Gateway must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the device.
V-65149 Low The DataPower Gateway must compare internal information system clocks at least every 24 hours with an authoritative time server.
V-65147 Low The DataPower Gateway must generate an immediate real-time alert of all audit failure events.
V-65151 Low The DataPower Gateway must synchronize internal information system clocks to the authoritative time source when the time difference is greater than one second.
V-65145 Low The DataPower Gateway must generate an immediate alert when allocated audit record storage volume reaches 75% of repository maximum audit record storage capacity.