| SRG-NET-000160-IDPS-000147 | High | The IDPS must enforce password encryption for storage. | Authorization for access to any IDPS requires an approved and assigned individual account identifier. To ensure only the assigned individual is using the account, the account holder must create a... |
| SRG-NET-000058-IDPS-000006 | High | The IDPS must allow only authorized administrators to change security attributes. | System administrators of the IDPS system can reconfigure the rules and redirect traffic. If an unauthorized user gains access and then modifies the configuration, this could adversely impact... |
| SRG-NET-000219-IDPS-000178 | High | Modems used for remote access to the IDPS, must be able to authenticate users using two-factor authentication. | IDPS management consoles may have auxiliary port(s) which can be configured for local or non-local (remote) access to management functions and diagnostics. This is not a recommended practice since... |
| SRG-NET-000161-IDPS-000144 | High | The IDPS must enforce password encryption for transmission. | Authorization for access to any IDPS requires an approved and assigned individual account identifier. To ensure only the assigned individual is using the account, the account holder must create a... |
| SRG-NET-000060-IDPS-000008 | High | The IDPS must allow authorized system administrators to associate security attributes with information. | System administrators of the IDPS system can reconfigure the rules and redirect traffic. If an unauthorized user gains access and then modifies the configuration, this could adversely impact the... |
| SRG-NET-000060-IDPS-000010 | High | The IPS must only allow authorized devices to change security attributes. | In some implementations, the IPS system may work with the firewalls, routers, or switches to dynamically update or create rules. Changes to the IPS may cause the sensors to miss critical... |
| SRG-NET-000062-IDPS-000012 | High | Communications using the auxiliary port(s) must be configured to use cryptography to protect the confidentiality of the remote access session. | IDS and IPS devices may have auxiliary port(s) which can be configured for local or non-local (remote) access to management functions and diagnostics.
Use of the modem for remote system... |
| SRG-NET-000203-IDPS-NA | Medium | The network element must route organizationally defined internal communications traffic to organizationally defined external networks through authenticated proxy servers within the managed interfaces of boundary protection devices. | A proxy server is designed to hide the identity of the client when making a connection to a server on the outside of its network such as web server, web mail, and chat rooms. This prevents any... |
| SRG-NET-000067-IDPS-000016 | Medium | The IDPS must disable use of organizationally defined networking protocols. | Some networking protocols that allow remote access may not meet security requirements to protect data and components. The organization can either make a determination as to the relative security... |
| SRG-NET-000277-IDPS-NA | Medium | The IPS must disable network access by unauthorized devices and must log the information as a security violation. | Local access to the private network can easily be accomplished by merely connecting a workstation or laptop to any available wall plate or a wireless connection to a nearby access point. Remote... |
| SRG-NET-000190-IDPS-000201 | Medium | The IDPS must prevent unauthorized and unintended information transfer via shared system resources. | The purpose of this control is to prevent information produced by the actions of a prior user, role, or the actions of a process acting on behalf of a prior user/role from being available to any... |
| SRG-NET-000018-IDPS-000042 | Medium | The IDPS must allow only in-band management sessions from authorized IP addresses from the internal network. | Information flow control regulates where information is allowed to travel within a network and between interconnected networks. The flow of all network traffic must be monitored and controlled so... |
| SRG-NET-000266-IDPS-000236 | Medium | The IDPS must detect rogue wireless devices, attack attempts, and potential compromises or breaches to the wireless network. | DoD information could be compromised if wireless scanning is not performed to identify unauthorized WLAN clients and access points connected to or attempting to connect to the network. A wireless... |
| SRG-NET-000170-IDPS-000158 | Medium | The IDPS must employ automated mechanisms to assist in the tracking of security incidents. | Despite the investment in perimeter defense technologies, enclaves are still faced with detecting, analyzing, and remediating network breaches and exploits that have made it past the firewall.
An... |
| SRG-NET-000168-IDPS-000156 | Medium | For password protection, the IDPS must use mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication. | the IDPS not protected with strong passwords provide the opportunity for anyone to crack the password thus gaining access to the system and the network. All passwords must be kept and known only... |
| SRG-NET-000184-IDPS-000200 | Medium | The IDPS must isolate security functions from non-security functions. | The IDPS must be designed and configured to isolate security functions isolate security functions from non-security functions. An isolation boundary is implemented via partitions and domains. This... |
| SRG-NET-000208-IDPS-000211 | Medium | The IDPS must use cryptographic mechanisms to protect the integrity of information while in transit. | This control applies to communications across internal and external networks, unless the information is protected by a physical security solution (e.g., Protective Distribution System [PDS] or... |
| SRG-NET-000216-IDPS-NA | Medium | The IDPS must produce, control, and distribute symmetric and asymmetric cryptographic keys using NSA-approved key management technology and processes. | The escalating use of cryptography has brought forth a huge challenge for organizations to protect and manage the hundreds and even thousands of cryptographic keys employed during daily... |
| SRG-NET-000081-IDPS-000078 | Medium | The IDPS must support the requirement to centrally manage the events from multiple sensor queues. | Centrally managing data captured by the various sensors provides for easier management of network events and is an effective facility for monitoring and the automatic generation of alert... |
| SRG-NET-000228-IDPS-000183 | Medium | The IDPS must implement detection and inspection mechanisms to identify unauthorized mobile code. | The mobile code paradigm encompasses programs that can be executed on one or several hosts other than the one they originate from. Mobility of such programs implies some built-in capability for... |
| SRG-NET-000097-IDPS-000098 | Medium | The IDPS must authenticate NTP messages received. | Since NTP is used to ensure accurate log file timestamp information, NTP could pose a security risk if a malicious user were able to falsify NTP information. To launch an attack on the NTP... |
| SRG-NET-000186-IDPS-000197 | Medium | The IDPS must isolate security functions used to enforce access and information flow control from both non-security functions and from other security functions. | The IDPS must be designed and configured to isolate security functions enforcing access and information flow control. Isolation must separate processes that perform security functions from those... |
| SRG-NET-000227-IDPS-NA | Medium | The IDPS must issue public key certificates under an appropriate certificate policy or obtain public key certificates under an appropriate certificate policy from an approved service provider. | For user certificates, each organization attains certificates from an approved, shared service provider, as required by OMB policy. For federal agencies operating a legacy public key... |
| SRG-NET-000114-IDPS-000074 | Medium | The IDPS must allow administrators to select which rule sets are to be logged at the management console and sensor level. | All sensors of the IDPS must be configurable with the organizationally defined rules. This requirement does not require each sensor be configured with separate rule sets; however, this capability... |
| SRG-NET-000121-IDPS-000112 | Medium | The IDPS must prevent the installation of organizationally defined critical software programs not signed with a certificate that is recognized and approved by the organization. | Changes to any software components of the IDPS can have significant effects on the overall security of the network. Verifying the authenticity of the software prior to installation validates the... |
| SRG-NET-000175-IDPS-000161 | Medium | The IDPS must protect non-local maintenance sessions by separating the maintenance session from other network sessions with the device, by using either physically separated communications paths, or logically separated communications paths based upon encryption. | Network management is the process of monitoring the IDPS and links, configuring the IDPS, and enabling network services. Network management also includes the collection of performance,... |
| SRG-NET-000218-IDPS-NA | Medium | The IDPS must produce, control, and distribute asymmetric cryptographic keys using approved PKI Class 3 or Class 4 certificates and hardware security tokens that protect the user's private key. | The escalating use of cryptography has brought forth a huge challenge for organizations to protect and manage the hundreds and even thousands of cryptographic keys employed during daily... |
| SRG-NET-000127-IDPS-000119 | Medium | The IDPS must employ automated mechanisms to centrally verify configuration settings. | Uncoordinated or incorrect configuration changes to network components can potentially lead to network outages and possibly compromises. Centrally managing configuration changes for the IDPS can... |
| SRG-NET-000287-IDPS-000140 | Medium | The IDPS console port must be configured to timeout after 10 minutes or less of inactivity. | Inactive user accounts pose a risk to systems and applications. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained. Attackers that are able... |
| SRG-NET-000138-IDPS-NA | Medium | The IDPS must enforce the identification and authentication of all organizational users. | Network access control mechanisms interoperate to prevent unauthorized access and to enforce the organization's security policy. Access to the network must be categorized as administrator, user,... |
| SRG-NET-000019-IDPS-NA | Medium | The network element must enforce approved authorizations for controlling the flow of information between interconnected networks in accordance with applicable policy. | Information flow control regulates where information is allowed to travel within a network and between interconnected networks. The flow of all network traffic must be monitored and controlled so... |
| SRG-NET-000256-IDPS-000237 | Medium | The IDPS must monitor inbound and outbound communications for unusual or unauthorized activities or conditions. | IDPS sensors must be deployed at strategic locations within the network. At a minimum, they should be deployed within the DMZ and behind the firewall. Both inbound and outbound traffic must be... |
| SRG-NET-000107-IDPS-000108 | Medium | The IDPS must protect application audit and sensor event log information from unauthorized modification. | Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured system.... |
| SRG-NET-000288-IDPS-000185 | Medium | The IDPS must prevent the download of prohibited mobile code. | Decisions regarding the use of mobile code within the IDPS are based on the potential for the code to cause damage to the system if used maliciously. Mobile code technologies include Java,... |
| SRG-NET-000014-IDPS-000034 | Medium | The IDPS must be configured to dynamically manage administrative privileges and associated command authorizations. | Web services are web applications that provide a method of communication between two or more different electronic devices. They are normally used by applications to provide each other with data.... |
| SRG-NET-000187-IDPS-000198 | Medium | The IDPS must implement an isolation boundary to minimize the number of non-security functions included within the boundary containing security functions. | The IDPS must be designed and configured to minimize the number of non-security functions included within the boundary containing security functions. An isolation boundary, implemented via... |
| SRG-NET-000032-IDPS-000053 | Medium | The IDPS must enforce organizationally defined one-way traffic flows using hardware mechanisms. | Information flow control regulates where information is allowed to travel within a network and between interconnected networks. The flow of all network traffic must be monitored and controlled so... |
| SRG-NET-000215-IDPS-NA | Medium | The IDPS must produce, control, and distribute symmetric cryptographic keys using NIST-approved or NSA-approved key management technology and processes. | The escalating use of cryptography has brought forth a huge challenge for organizations to protect and manage the hundreds and even thousands of cryptographic keys employed during daily... |
| SRG-NET-000021-IDPS-000045 | Medium | The IDPS must enforce the highest privilege level administrative access to enable or disable security policy filters. | The use of AAA affords the best methods for controlling user access, authorization levels, and activity logging. By enabling AAA on the IDPS in conjunction with an authentication server, the... |
| SRG-NET-000071-IDPS-000019 | Medium | If the site uses periodic WIDS scanning, then the system must be configured to meet the requirements. | Unauthorized WLAN devices threaten DoD networks in a variety of ways. If someone installs an access point on a DoD network, then people may use that access point to access network resources... |
| SRG-NET-000201-IDPS-000208 | Medium | The IPS must prevent access into the organization's internal networks except as explicitly permitted and controlled by employing boundary protection devices. | The enclave's internal network contains the servers where mission critical data and applications reside. There should never be connection attempts made to these devices from any host outside of... |
| SRG-NET-000243-IDPS-000222 | Medium | The IDPS must be configured to implement automated patch management tools to facilitate flaw remediation to network components. | It is imperative that the activity promptly installs security relevant software updates from an authorized patch management server to mitigate the risk of new vulnerabilities. Flaws discovered... |
| SRG-NET-000108-IDPS-000069 | Medium | The IDPS must log administrator access and system configuration changes in a central logging server such as a management console/server. | This requirement supports non-repudiation of actions taken by an administrator and is required in order to maintain the integrity of the configuration management process. All configuration changes... |
| SRG-NET-000281-IDPS-NA | Medium | The IDPS must identify information flows by data type specification and usage when transferring information between different security domains. | Traffic flows must be identified by types and traffic rates when information is being transferred between different security domains. This requirement applies to Cross Domain Solutions.... |
| SRG-NET-000158-IDPS-000141 | Medium | The IDPS must enforce password complexity by the number of special characters used. | Authorization for access to any IDPS requires an approved and assigned individual account identifier. To ensure only the assigned individual is using the account, the account holder must create a... |
| SRG-NET-000253-IDPS-000224 | Medium | The IDPS must only update malicious code protection mechanisms when directed by a privileged user. | Malicious code includes viruses, worms, Trojan horses, and spyware. It is critical the protection mechanisms used to detect and contain this code are not tampered with by unauthorized users and... |
| SRG-NET-000092-IDPS-000234 | Medium | The IDPS must employ automated mechanisms to alert security personnel of any inappropriate or unusual activities with security implications. | Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what attempted to be done, where it was done, when it was... |
| SRG-NET-000239-IDPS-000195 | Medium | The IDPS must employ cryptographic mechanisms to prevent unauthorized disclosure of information at rest unless otherwise protected by alternative physical measures. | This control is intended to address the confidentiality and integrity of system information at rest when it is located on a secondary storage device within the IDPS. It is imperative that system... |
| SRG-NET-000165-IDPS-000153 | Medium | The IDPS must enforce authorized access to the corresponding private key for PKI-based authentication. | The principle factor of PKI implementation is the private key used to encrypt or digitally sign information. If the private key is discovered, an attacker can use the key to authenticate as an... |
| SRG-NET-000247-IDPS-NA | Medium | The IDPS must employ malicious code protection mechanisms to perform periodic scans of the information system on an organizationally defined frequency. | Malicious code includes viruses, worms, Trojan horses, and spyware. The code provides the ability for a malicious user to read from and write to files and folders on a computer's hard drive. They... |
| SRG-NET-000106-IDPS-000105 | Medium | The IDPS must use cryptographic mechanisms to protect the integrity of audit and sensor event log information. | Without the use of mechanisms, such as a signed hash using asymmetric cryptography, the integrity of the collected audit data is not fully protected. There are two types of log files required for... |
| SRG-NET-000039-IDPS-000060 | Medium | The maximum number of unsuccessful login attempts must be set to an organizationally defined value. | By limiting the number of failed login attempts within a defined period of time, the risk of unauthorized system access via user password guessing can be mitigated. |
| SRG-NET-000123-IDPS-000114 | Medium | The IDPS must limit privileges to change software resident within software libraries. | Changes to any software components of the IDPS can have significant effects on the overall security of the network. Therefore, only qualified and authorized individuals should be allowed... |
| SRG-NET-000300-IDPS-NA | Medium | The network element must provide the means to indicate the security status of child subspaces and (if the child supports secure resolution services) enable verification of a chain of trust among parent and child domains when operating as part of a distribution. | This control enables remote clients to obtain origin authentication and integrity verification assurances for the host/service name to network address resolution information obtained through the... |
| SRG-NET-000141-IDPS-000132 | Medium | The IDPS must use multi-factor authentication for local access to privileged accounts. | Multifactor authentication is defined as: using two or more factors to achieve authentication.
Factors include:
(i) something you know (e.g. password/PIN);
(ii) something you have (e.g.,... |
| SRG-NET-000023-IDPS-000047 | Medium | The IPS must enforce security policies regarding information on interconnected systems. | Transferring information between interconnected information systems of differing security policies introduces the risk of the transfers violating one or more policies. It is imperative for policy... |
| SRG-NET-000220-IDPS-000173 | Medium | The IDPS must employ FIPS-validated cryptography to protect unclassified information. | Cryptography is only as strong as the encryption modules/algorithms that are employed to encrypt the data. Use of weak or un-tested encryption algorithms undermines the purposes of utilizing... |
| SRG-NET-000113-IDPS-000073 | Medium | The IDPS must generate log records for alerts determined by the organization to be relevant to the security of the network infrastructure. | Sensor alerts are stored on each sensor and then periodically transferred to a central management or logging server database. Centrally logging the sensor information provides a central location... |
| SRG-NET-000024-IDPS-000049 | Medium | The IDPS must uniquely identify source domains for information transfer. | Identifying source and destination addresses for information flows within the network allows forensic reconstruction of events when required, and increases policy compliance by attributing policy... |
| SRG-NET-000167-IDPS-000155 | Medium | The IDPS must obscure feedback of authentication information during the authentication process to protect the information from possible use by unauthorized individuals. | Authorization for access to any IDPS requires an approved and assigned individual account identifier. To ensure that only the assigned individual is using the account, the account holder must... |
| SRG-NET-000244-IDPS-000228 | Medium | The IDPS must implement signatures to detect specific attacks and protocols known to affect web servers. | In the Regional Enterprise Enclave different sets of sensors will see different traffic as a result of their location within the regional enclave. By establishing separate signature profiles for... |
| SRG-NET-000071-IDPS-000020 | Medium | WIDS sensor scan results must be saved for at least one year. | DoDD 8100.2 requires ALL DoD networks use a wireless IDS to scan for unauthorized wireless devices. If sites do not maintain scan logs, it cannot be determined if IDS findings are isolated and... |
| SRG-NET-000057-IDPS-000005 | Medium | The IDPS must dynamically reconfigure security attributes in accordance with an identified security policy as information is created and combined. | Security attribute assignments (e.g., metadata, classification, user access privileges, or affiliation) are abstractions representing the basic properties or characteristics of an entity.... |
| SRG-NET-000154-IDPS-000143 | Medium | The IDPS must prohibit password reuse for the organizationally defined number of generations. | Authorization for access to any IDPS requires an approved and assigned individual account identifier. To ensure only the assigned individual is using the account, the account holder must create a... |
| SRG-NET-000231-IDPS-000188 | Medium | The IDPS must invalidate session identifiers upon user logout or other session termination. | Peering neighbors must have a level of trust with each other since information being shared is used to provide network services, connectivity, and optimized routing. Corrupted or erroneous... |
| SRG-NET-000237-IDPS-000194 | Medium | The IDPS must implement signatures that detect specific attacks and protocols that should not be seen on the segments containing web servers. | In the Regional Enterprise Enclave different sets of sensors will see different traffic as a result of their location within the regional enclave. By establishing separate signature profiles for... |
| SRG-NET-000234-IDPS-000191 | Medium | The IDPS must generate unique session identifiers with organizationally defined randomness requirements. | Peering neighbors must have a level of trust with each other since information being shared is used to provide network services, connectivity, and optimized routing. Corrupted or erroneous... |
| SRG-NET-000179-IDPS-000166 | Medium | The IDPS must use cryptographic mechanisms to protect and restrict access to information on portable digital media. | When data is written to portable digital media, there is risk of loss of data along with integrity and data confidentiality. An organizational assessment of risk guides the selection of media and... |
| SRG-NET-000055-IDPS-000003 | Medium | The IDPS must support and maintain the binding of organizationally defined security attributes to information in process. | Security attribute assignments (e.g., metadata, classification, user access privileges, or affiliation) are abstractions representing the basic properties or characteristics of an entity.... |
| SRG-NET-000257-IDPS-000239 | Medium | The IDPS must provide near real-time alerts when any of the organizationally defined list of compromise or potential compromise indicators occur. | When a compromise, potential compromise, or breach has been discovered by the intrusion detection system, it is critical the appropriate personnel are notified via an alert mechanism. Near... |
| SRG-NET-000229-IDPS-000182 | Medium | The IDPS must take corrective action when unauthorized mobile code is identified. | The mobile code paradigm encompasses programs that can be executed on one or several hosts other than the one they originate from. Mobility of such programs implies some built-in capability for... |
| SRG-NET-000251-IDPS-000223 | Medium | The IDPS must automatically update malicious code protection mechanisms and signature definitions. | Malicious code includes viruses, worms, Trojan horses, and spyware. It can be transported by electronic mail, mail attachments, web accesses, removable media, or other common means. Malicious... |
| SRG-NET-000063-IDPS-000013 | Medium | The IDPS auxiliary port or modem must be configured to use cryptography to protect the integrity of remote access sessions. | If a modem is installed on the auxiliary port of the IDPS management console to provide direct remote management access, cryptographic mechanisms must be implemented to protect the integrity of... |
| SRG-NET-000273-IDPS-000217 | Medium | The IDPS must generate notification messages containing information necessary for corrective actions for errors encountered; however, these messages must not contain organizationally defined sensitive or potentially harmful information. | The extent to which the IDPS is able to identify and handle error conditions is guided by organizational policy and operational requirements. However, it is imperative that the IDPS does not... |
| SRG-NET-000144-IDPS-000134 | Medium | The IDPS must enforce multifactor authentication for network access to privileged accounts where one of the factors is provided by a device separate from the IDPS being accessed. | Multifactor authentication is defined as: using two or more factors to achieve authentication.
Factors include:
(i) something you know (e.g. password/PIN);
(ii) something you have (e.g.,... |
| SRG-NET-000254-IDPS-000225 | Medium | The IDPS must not allow users to introduce removable media into the information system. | Malicious code includes viruses, worms, Trojan horses, and spyware. The code provides the ability for a malicious user to read from and write to files and folders on a computer's hard drive. They... |
| SRG-NET-000069-IDPS-NA | Medium | The IDPS must protect wireless access to the network using authentication. | The security boundary of a Wireless LAN (WLAN) extends from the client device to the network boundary where network access is controlled. This boundary represents the portion of the network most... |
| SRG-NET-000222-IDPS-000174 | Medium | The IDPS must employ FIPS-validated cryptography to protect information when such information must be separated from individuals who have the necessary clearances yet lack the necessary access approvals. | Cryptography is only as strong as the encryption modules/algorithms employed to encrypt the data. Use of weak or un-tested encryption algorithms undermines the purposes of utilizing encryption to... |
| SRG-NET-000118-IDPS-000116 | Medium | The IDPS must enforce access restrictions associated with changes to the information system. | Changes to the hardware or software components of the IDPS can have significant effects on the overall security of the network. Therefore, only qualified and authorized individuals should be... |
| SRG-NET-000016-IDPS-000035 | Medium | The IDPS must enforce dual authorization based on organizational policies and procedures for organizationally defined privileged commands. | Dual authorization mechanisms require two forms of approval to execute. An organization may determine certain commands or IDPS configuration changes require dual-authorization before being... |
| SRG-NET-000199-IDPS-000206 | Medium | The IDPS must prevent discovery of specific system components or devices comprising a managed interface. | Allowing neighbor discovery messages to reach external network nodes is dangerous as it provides an attacker a method to obtain information of the network infrastructure that can be useful to plan... |
| SRG-NET-000018-IDPS-000043 | Medium | The IDPS management console, management server, or data management console server must reside in the management network (in-band.) | Sensors and agents monitor and analyze activity. The term sensor is typically used for the IDPS that monitor networks, including network-based, wireless, and network behavior analysis... |
| SRG-NET-000152-IDPS-NA | Medium | The IDPS must dynamically manage identifiers, attributes, and associated access authorizations to enable user access to the network with the appropriate and authorized privileges. | Web services are web applications that provide a method of communication between two or more different electronic devices. They are normally used by applications to provide each other with data.... |
| SRG-NET-000018-IDPS-000041 | Medium | The IPS must enforce approved authorizations for controlling the flow of information within the network in accordance with applicable policy. | Information flow control regulates where information is allowed to travel within a network and between interconnected networks. The flow of all network traffic must be monitored and controlled so... |
| SRG-NET-000151-IDPS-000138 | Medium | The network element must authenticate devices before establishing network connections using bidirectional authentication between cryptographically based devices. | An IDPS must have a level of trust with any node wanting to connect to it. The remote node could be a host device requiring a layer 2 connection to the network or a router wanting to peer as a... |
| SRG-NET-000134-IDPS-000126 | Medium | A periodic or continuous monitoring IDS or IPS must be installed to scan the network. | Monitoring may be accomplished on an ongoing basis or by the periodic scanning. Automated mechanisms can be implemented within the network. |
| SRG-NET-000226-IDPS-000180 | Medium | The IDPS must validate the integrity of security attributes exchanged between information systems. | Security attributes are associated with internal structures within the IDPS used to enable the implementation of access control and flow control policies or support other aspects of the... |
| SRG-NET-000194-IDPS-000202 | Medium | The IDPS must limit and reserve bandwidth based on the priority of the traffic type. | Different applications have unique requirements and tolerance levels for delay, jitter, bandwidth, packet loss, and availability. To manage the multitude of applications and services, a network... |
| SRG-NET-000056-IDPS-000002 | Medium | The IDPS must support and maintain the binding of organizationally defined security attributes to information in transmission. | Security attribute assignments (e.g., metadata, classification, user access privileges, or affiliation) are abstractions representing the basic properties or characteristics of an entity.... |
| SRG-NET-000193-IDPS-NA | Medium | The IDPS must manage excess bandwidth to limit the effects of packet flooding types of Denial of Service (DoS) attacks. | An IDPS experiencing a DoS attack will not be able to handle production traffic load. The high utilization and CPU caused by a DoS attack will also have an effect on control keep-alives and timers... |
| SRG-NET-000244-IDPS-000230 | Medium | The sensor positioned to protect servers in the server farm or DMZ must provide protection from DoS SYN Flood attacks by dropping half open TCP sessions.
| SYN flood sends a flood of TCP/SYN packets, often with a forged sender address. Each of these packets is handled like a connection request, causing the server to spawn a half-open connection, by... |
| SRG-NET-000244-IDPS-000231 | Medium | The LAND DoS signature must be implemented to protect the enclave. | The LAND attack is a DoS attack in which an attacker sends a TCP packet (with the SYN bit set) to a system in which the source and destination IP address (along with the source and destination... |
| SRG-NET-000209-IDPS-000212 | Medium | The IDPS must maintain the integrity of information during aggregation and encapsulation in preparation for transmission. | This control applies to communications across internal and external networks. The IDPS must employ cryptographic mechanisms to recognize changes to information while preparing information for... |
| SRG-NET-000064-IDPS-NA | Medium | The network element must route all remote access traffic through managed access control points. | Remote access services enable users outside of the enclave to have access to data and services within the private network. In many instances these connections traverse the Internet. Regardless of... |
| SRG-NET-000290-IDPS-NA | Medium | The IDPS must prevent the automatic execution of mobile code in organizationally defined software applications and requires organizationally defined actions prior to executing the code. | Decisions regarding the employment of mobile code within the IDPS are based on the potential for the code to cause damage to the system if used maliciously. Mobile code technologies include Java,... |
| SRG-NET-000112-IDPS-000072 | Medium | The IDPS must produce a system-wide audit trail composed of log records in a standardized format. | Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what attempted to be done, where it was done, when it was... |
| SRG-NET-000189-IDPS-000199 | Medium | The IDPS must implement security functions as a layered structure minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers. | The IDPS must be designed and configured to implement security functions as a layered structure. An isolation boundary, using separate partitions and domains, must be used to minimize interactions... |
| SRG-NET-000286-IDPS-000103 | Medium | The IDPS must protect the audit records of non-local accesses to privileged accounts and the execution of privileged functions. | Auditing may not be reliable when performed by the network element to which the user being audited has privileged access. The privileged user may inhibit auditing or modify audit records. This... |
| SRG-NET-000207-IDPS-000213 | Medium | The IDPS must protect the integrity of transmitted information. | The IDPS must employ cryptographic mechanisms to recognize changes to information during transmission unless the transmission is otherwise protected by alternative physical measures. If... |
| SRG-NET-000206-IDPS-NA | Medium | The network element must connect to external networks only through managed interfaces consisting of boundary protection devices arranged in accordance with organizational security architecture. | The firewall will build a state to allow return traffic for all initiated traffic that was allowed outbound. Monitoring and filtering the outbound traffic adds a layer of protection to the... |
| SRG-NET-000068-IDPS-NA | Medium | The IDPS must enforce requirements for remote connections to the network. | Remote access services enable users outside of the enclave to have access to data and services within the private network. Enabling access to the network from outside introduces security risks... |
| SRG-NET-000027-IDPS-NA | Medium | The IDPS must uniquely authenticate destination domains for information transfer. | Identifying source and destination addresses for information flows within the network allows forensic reconstruction of events when required, and increases policy compliance by attributing policy... |
| SRG-NET-000126-IDPS-000118 | Medium | The IDPS must employ automated mechanisms to centrally apply configuration settings. | Uncoordinated or incorrect configuration changes to network components can potentially lead to network outages and possibly compromises. Centrally managing configuration changes for the IDPS can... |
| SRG-NET-000219-IDPS-000177 | Medium | IDPS auxiliary port(s) must be disabled if not approved for use. | IDS and IPS devices may have auxiliary port(s) which can be configured for local or non-local (remote) access to management functions and diagnostics. This is not a recommended practice since it... |
| SRG-NET-000245-IDPS-NA | Medium | The IDPS must employ malicious code protection mechanisms at workstations, servers, or mobile computing devices on the network to detect and eradicate malicious code transported by electronic mail, electronic mail attachments, web accesses, removable media, or other common means. | Malicious code includes viruses, worms, Trojan horses, and spyware. The code provides the ability for a malicious user to read from and write to files and folders on a computer's hard drive. They... |
| SRG-NET-000020-IDPS-000044 | Medium | The IDPS must enforce information flow control using explicit security attributes on information, source, and destination objects as a basis for flow control decisions. | Information flow control regulates where information is allowed to travel within a network and between interconnected networks. The flow of all network traffic must be monitored and controlled so... |
| SRG-NET-000037-IDPS-000157 | Medium | The IDPS must be configured to automatically disable itself if any of the organizationally defined lists of security events are detected. | To reduce or eliminate the risk to the network, the IDPS must be configured to disable itself and its components if the IDPS itself is compromised. A list of known attacks to the IDPS system must... |
| SRG-NET-000119-IDPS-000110 | Medium | The IDPS must be configured to enable automated mechanisms to enforce access restrictions. | Changes to the hardware or software components of the IDPS can have significant effects on the overall security of the network. Therefore, only qualified and authorized individuals should be... |
| SRG-NET-000059-IDPS-000007 | Medium | The IDPS must maintain the binding of security attributes to information with sufficient assurance that the information to attribute association can be used as the basis for automated policy actions. | Security attributes are abstractions representing the basic properties or characteristics of an entity (e.g., subjects and objects) with respect to safeguarding information. These attributes are... |
| SRG-NET-000115-IDPS-000075 | Medium | The IDPS must generate log alerts for locally developed sensor rules. | Logging specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured IDPS. Locally developed... |
| SRG-NET-000083-IDPS-000079 | Medium | The IDPS sensor events log monitoring application or mechanism retrieves events from the sensor before the events log becomes full. | The IDPS logging facility must be configured to reduce the likelihood of log record capacity being exceeded. Events on the sensor are typically stored on a large events log. The log in the sensor... |
| SRG-NET-000146-IDPS-000135 | Medium | The IDPS must use organizationally defined replay-resistant authentication mechanisms for network access to privileged accounts. | All authentication credentials must be maintained on an authentication server. Messages between the authenticator and the IDPS validating user credentials must not be vulnerable to a replay attack... |
| SRG-NET-000166-IDPS-000154 | Medium | The IDPS must map the authenticated identity to the user account for PKI-based authentication. | Authorization for access to any network element requires an approved and assigned individual account identifier. To ensure that only the assigned individual is using the account, the account must... |
| SRG-NET-000210-IDPS-000215 | Medium | The IDPS must protect the confidentiality of transmitted information. | If the organization is relying on a commercial service provider for transmission services as a commodity item rather than a fully dedicated service for both internal and external connectivity, it... |
| SRG-NET-000033-IDPS-000054 | Medium | The IPS must enforce information flow control using organizationally defined security policy filters as a basis for flow control decisions. | Information flow control regulates where information is allowed to travel within a network and between interconnected networks. The flow of all network traffic must be monitored and controlled so... |
| SRG-NET-000061-IDPS-NA | Medium | The network element must employ automated mechanisms to facilitate the monitoring and control of remote access methods. | Remote access services enable users outside of the enclave to have access to data and services within the private network. In many instances these connections traverse the Internet. Monitoring of... |
| SRG-NET-000054-IDPS-000004 | Medium | The IDPS must support and maintain the binding of organizationally defined security attributes to information in storage. | Security attribute assignments (e.g., metadata, classification, subject categories, nationality, user access privileges, or affiliation) are abstractions representing the basic properties or... |
| SRG-NET-000195-IDPS-000203 | Medium | The IPS must check inbound traffic to ensure that the communications are coming from an authorized source and routed to an authorized destination. | Spoofing source addresses occurs when a malicious user outside the network has created packets with source address belonging to the private address space of the target network. This is done in an... |
| SRG-NET-000174-IDPS-000162 | Medium | The IDPS must protect non-local maintenance sessions through the use of two-factor authentication. | Without authentication anyone with logical access can access IDPS components allowing intruders to compromise resources within the network infrastructure. Network access control mechanisms... |
| SRG-NET-000283-IDPS-NA | Medium | The IDPS must implement policy filters that constrain data structure and content to organizationally defined information security policy requirements when transferring information between different security domains. | It is imperative that when information is being moved from one security domain to another, policy filters must be applied to the data to enforce the organization's security policy requirements.... |
| SRG-NET-000120-IDPS-000111 | Medium | The IDPS must be configured to enable automated mechanisms to support auditing of the enforcement actions. | Changes to the hardware or software components of the IDPS can have significant effects on the overall security of the network. Therefore, only qualified and authorized individuals allowed... |
| SRG-NET-000149-IDPS-000136 | Medium | The IDPS must authenticate devices before establishing remote network connections using bidirectional authentication between cryptographically based devices. | An IDPS must have a level of trust with any node wanting to connect to it. The remote node could be a host device requiring a layer 2 connection to the network or a router wanting to peer as a... |
| SRG-NET-000244-IDPS-000229 | Medium | The IDPS must ensure IP hijacking signatures have been implemented. | There are a number of publicly available tools that exist to facilitate the hijacking of TCP sessions. An attacker using such tools can determine the TCP sequence and acknowledgement numbers that... |
| SRG-NET-000077-IDPS-000080 | Medium | The IDPS must produce sensor log records containing sufficient information to establish the source of the event. | It is essential for security personnel to know what is being done, what attempted to be done, when and by whom in order to compile an accurate risk assessment. Logging the actions of specific... |
| SRG-NET-000198-IDPS-000205 | Medium | The IDPS must receive all management traffic through a dedicated management interface. | Implementing out of band (OOB) management for the IDPS is the first step in the deployment of a management network. OOBM networks isolate network users from communication channels dedicated to... |
| SRG-NET-000262-IDPS-NA | Medium | The IDPS must ensure all encrypted traffic is visible to network monitoring tools. | IDPS sensors must be deployed at strategic locations within the network. At a minimum, they should be deployed within the DMZ and behind the firewall. It is important to not only monitor traffic... |
| SRG-NET-000244-IDPS-000227 | Medium | The IDPS must provide an automated means to review and validate whitelists and blacklists entries. | A blacklist is a list of discrete entities, such as hosts, TCP or UDP port numbers, ICMP
types and codes, applications, usernames, URLs, filenames, or file extensions, that have been previously... |
| SRG-NET-000244-IDPS-000226 | Medium | The IDPS must protect the enclave from malware and unexpected traffic by using TCP reset signatures. | By listening to the conversation flow of inbound and outbound internet traffic for malware and malware references, the IDPS can prevent unwanted programs entering into the enclave. When it detects... |
| SRG-NET-000259-IDPS-000242 | Medium | The IDPS must notify an organizationally defined list of incident response personnel of suspicious events. | Monitoring outbound traffic enables the network operator to detect an attack towards another network with the local enclave as the base. When a compromise, potential compromise, or breach has been... |
| SRG-NET-000180-IDPS-000167 | Medium | The IDPS must employ cryptographic mechanisms to protect information in storage. | When data is written to digital media, there is risk of loss of data along with integrity and data confidentiality. An organizational assessment of risk guides the selection of media and... |
| SRG-NET-000172-IDPS-000159 | Medium | The IDPS must use automated mechanisms to restrict the use of maintenance tools to authorized personnel only. | With the growth of widespread network delivered malware infections, organizations tend to overlook the spread of malware from system to system through removable media. Once an infected media is... |
| SRG-NET-000131-IDPS-000125 | Medium | The sensor must be configured to alarm if unexpected protocols for network management enter the subnet. | The management network must detect all attacks on the management hosts. The management network has a range of traffic that is permitted. Some of the following traffic is allowed on the Management... |
| SRG-NET-000131-IDPS-000123 | Medium | The IDPS must not have unnecessary services and capabilities enabled. | A compromised IDPS introduces risk to the entire network infrastructure as well as data resources that are accessible via the network. The perimeter defense has no oversight or control of attacks... |
| SRG-NET-000265-IDPS-000235 | Medium | The IDPS must detect attack attempts to the wireless network. | DoD information could be compromised if wireless scanning is not performed to identify unauthorized WLAN clients and access points connected to or attempting to connect to the network. A wireless... |
| SRG-NET-000169-IDPS-NA | Medium | The network element must uniquely identify and authenticate non-organizational users or processes acting on behalf of non-organizational users. | Non-organizational users shall be uniquely identified and authenticated for all accesses other than those accesses explicitly identified and documented by the organization when related to the use... |
| SRG-NET-000139-IDPS-000131 | Medium | Management connections to the IDPS must require authentication. | Devices protected with weak password schemes or no password at all, provide the opportunity for anyone to crack the password or gain access to the device and cause network, device, or information... |
| SRG-NET-000002-IDPS-000023 | Medium | The IDPS must automatically terminate temporary accounts after an organizationally defined time period for each type of account. | Authentication for administrative access to the device is required at all times. Temporary accounts can be used for vendor support in order to perform diagnostics.
There is a risk the temporary... |
| SRG-NET-000212-IDPS-NA | Medium | The IDPS must maintain the confidentiality of information during aggregation and encapsulation in preparation for transmission. | If the organization is relying on a commercial service provider for transmission services as a commodity item rather than a fully dedicated service for both internal and external connectivity, it... |
| SRG-NET-000192-IDPS-NA | Medium | The IDPS must restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks. | An IDPS experiencing a DoS attack will not be able to handle the production traffic load. The high utilization and CPU caused by a DoS attack will also have an effect on control keep-alives and... |
| SRG-NET-000279-IDPS-000039 | Medium | The IDPS must prevent access to organizationally defined security-relevant information except during secure, non-operable system states. | Security relevant information is any information within the information system that can potentially impact the operation of security functions in a manner that could result in failure to enforce... |
| SRG-NET-000205-IDPS-000210 | Medium | The IPS must monitor and control traffic at both the external and internal boundary interfaces. | Monitoring and controlling both inbound and outbound and inbound network traffic adds a layer of protection to the enclave. Unlike an IDS, an IPS can both detect and take action to prevent harmful... |
| SRG-NET-000129-IDPS-000121 | Medium | The IDPS must ensure that detected unauthorized security-relevant configuration changes are tracked. | Uncoordinated or incorrect configuration changes to network components can potentially lead to network outages and possibly compromises. Centrally managing configuration changes for the IDPS can... |
| SRG-NET-000139-IDPS-000130 | Medium | The IDPS must use multifactor authentication for network access to privileged accounts. | Multifactor authentication uses two or more factors to achieve authentication.
Factors include:
(i) something you know (e.g. password/PIN);
(ii) something you have (e.g., cryptographic... |
| SRG-NET-000285-IDPS-NA | Medium | The IDPS must prohibit the transfer of unsanctioned information in accordance with the security policy when transferring information between different security domains. | Information flow control regulates where information is allowed to travel within a network and between interconnected networks. The flow of all network traffic must be monitored and controlled, so... |
| SRG-NET-000264-IDPS-000233 | Medium | The IDPS must analyze outbound communications traffic at selected interior points within the network as deemed necessary to discover anomalies. | IDPS sensors must be deployed at strategic locations within the network. At a minimum, they must be deployed within the DMZ and behind the firewall. It is important to not only monitor traffic... |
| SRG-NET-000182-IDPS-NA | Medium | The network elements must separate user traffic from network management traffic. | Network management is the process of monitoring network elements and links, configuring network elements to turn up and disable network services, the collection of performance, diagnostics, and... |
| SRG-NET-000164-IDPS-000152 | Medium | The IDPS must validate certificates used for PKI-based authentication by constructing a certification path with status information to an accepted trust anchor. | A trust anchor is an authoritative entity represented via a public key. Within a chain of trust, the top entity to be trusted is the "root certificate" or "trust anchors" such as a Certification... |
| SRG-NET-000030-IDPS-NA | Medium | All encrypted traffic must be decrypted prior to passing through content inspection and filtering mechanisms. | Allowing traffic to bypass the security checkpoints such as firewalls and intrusion detection systems puts the network infrastructure and critical data at risk. Malicious traffic could enter the... |
| SRG-NET-000022-IDPS-000046 | Medium | The IDPS must provide the capability for a privileged administrator to configure the organizationally defined security policy filters to support different security policies. | The IDPS must be configured to restrict management access according to the privilege level the user has been granted. Authorization to add, modify, or delete security policies must require the... |
| SRG-NET-000096-IDPS-000100 | Medium | The IDPS must protect audit tools from unauthorized deletion. | Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Depending upon the log format and application, system and application log tools may... |
| SRG-NET-000269-IDPS-000246 | Medium | The IDPS must provide notification of failed automated security tests. | Upon detection of a failure of an automated security self-test, the network element must respond in accordance with organizationally defined responses and alternative actions. Without taking any... |
| SRG-NET-000065-IDPS-000014 | Medium | The IDPS must continuously monitor for unauthorized remote connections to specific information systems. | Remote access services enable users outside of the enclave to have access to data and services within the private network. In many instances these connections traverse the Internet. Monitoring of... |
| SRG-NET-000087-IDPS-000089 | Medium | The IPS must reject or delay network traffic generated above configurable traffic volume thresholds as defined by the organization. | Different applications have unique requirements and toleration levels for delay, jitter, bandwidth, packet loss, and availability. To manage the multitude of applications and services, a network... |
| SRG-NET-000098-IDPS-000107 | Medium | The IDPS must protect application audit and sensor event logs information from unauthorized read access. | Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what attempted to be done, where it was done, when it was... |
| SRG-NET-000196-IDPS-NA | Medium | The IDPS must implement host-based boundary protection mechanisms. | The network element, dependent on the underlying operating system, is at greater risk due to software vulnerabilities and access capabilities. It is critical these devices have host-based IDS and... |
| SRG-NET-000171-IDPS-000091 | Medium | The IDPS must invoke a system shutdown in the event of the log failure, unless an alternative audit capability exists. | It is critical when a network device is at risk of failing to process audit logs as required; it takes action to mitigate the failure. If the device were to continue processing without auditing... |
| SRG-NET-000263-IDPS-000232 | Medium | The IDPS must analyze outbound traffic at the external boundary of the network. | IDPS sensors must be deployed at strategic locations within the network. At a minimum, they should be deployed within the DMZ and behind the firewall. It is important to not only monitor traffic... |
| SRG-NET-000029-IDPS-000051 | Medium | The IDPS must enforce dynamic traffic flow control based on policy allowing or disallowing flows based upon traffic types and rates within or out of profile. | Information flow control regulates where information is allowed to travel within a network and between interconnected networks. The flow of all network traffic must be monitored and controlled so... |
| SRG-NET-000156-IDPS-000151 | Medium | The IDPS must enforce password complexity by the number of lower case characters used. | Authorization for access to any IDPS requires an approved and assigned individual account identifier. To ensure only the assigned individual is using the account, the account holder must create a... |
| SRG-NET-000197-IDPS-NA | Medium | The IDPS must isolate organizationally defined key information security tools, mechanisms, and support components from other internal information system components via physically separate subnets. | To secure the enclave, the site must implement defense-in-depth security. This requires the deployment of various network security elements at strategic locations. The enclave must also be... |
| SRG-NET-000176-IDPS-000163 | Medium | The IDPS must employ cryptographic mechanisms to protect the integrity and confidentiality of non-local maintenance and diagnostic communications. | Network management is the process of monitoring the IDPS and links, configuring the IDPS, and enabling network services. Network management also includes the collection of performance,... |
| SRG-NET-000070-IDPS-NA | Medium | The IDPS must protect wireless access to the network using encryption. | The security boundary of a WLAN extends from the client device to the network boundary where network access is controlled. This boundary represents the portion of the network most vulnerable to... |
| SRG-NET-000217-IDPS-NA | Medium | The IDPS must produce, control, and distribute asymmetric cryptographic keys using approved PKI Class 3 certificates or prepositioned keying material. | The escalating use of cryptography has brought forth a huge challenge for organizations to protect and manage the hundreds and even thousands of cryptographic keys employed during daily... |
| SRG-NET-000242-IDPS-000221 | Medium | The IDPS must use SNMP Version 3 (SNMPv3) Security Model with FIPS 140-2 compliant cryptography (i.e., SHA authentication and AES encryption). | SNMP Versions 1 and 2 are not considered secure. Without the strong authentication and privacy that is provided by the SNMP Version 3 User-based Security Model (USM), an attacker or other... |
| SRG-NET-000224-IDPS-000179 | Medium | The IDPS must protect the integrity and availability of publicly available information and applications. | Public-facing servers enable access to information by clients outside of the enclave. These servers are subject to greater exposure to attacks. It is imperative that the integrity of the data is... |
| SRG-NET-000261-IDPS-000243 | Medium | The IDPS must protect information obtained from network scanning from unauthorized access, modification, and deletion. | Monitoring outbound traffic enables the network operator to detect an attack towards another network with the local enclave as the base. The intrusion detection device must be configured to ensure... |
| SRG-NET-000028-IDPS-000050 | Medium | The IDPS must implement security policies for all traffic flows by using security zones at various protection levels as a basis for flow control decisions. | Information flow control regulates where information is allowed to travel within a network and between interconnected networks. The flow of all network traffic must be monitored and controlled so... |
| SRG-NET-000303-IDPS-NA | Medium | The network element must perform data origin authentication and data integrity verification on all resolution responses received whether or not local client systems explicitly request this service. | A recursive resolving or caching domain name system (DNS) server is an example of an information system that provides name/address resolution service for local clients. Authoritative DNS servers... |
| SRG-NET-000289-IDPS-000184 | Medium | The IPS must prevent the execution of prohibited mobile code. | The mobile code paradigm encompasses programs that can be executed on one or several hosts other than the one they originate from. Mobility of such programs implies some built-in capability for... |
| SRG-NET-000219-IDPS-000176 | Medium | The IDPS must employ cryptographic protections using cryptographic modules complying with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. | It is imperative the authentication process and the transmission of network management traffic implements cryptographic modules adhering to the standards approved by the federal government. If... |
| SRG-NET-000202-IDPS-NA | Medium | The IPS must deny network traffic by default and allow network traffic by exception at all interfaces at the network perimeter. | All inbound and outbound traffic must be denied by default. Firewalls and perimeter routers should only allow traffic through that is explicitly permitted. The initial defense for the internal... |
| SRG-NET-000309-IDPS-000204 | Medium | The IDPS must protect against unauthorized physical connections across the boundary protections implemented at organizationally defined list of managed interfaces. | Local access to the network can easily be accomplished by merely connecting a workstation or laptop to any available wall plate or a wireless connection to a nearby access point. Eliminating... |
| SRG-NET-000250-IDPS-NA | Medium | The network element must address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system. | Malicious code includes viruses, worms, Trojan horses, and spyware. The code provides the ability for a malicious user to read from and write to files and folders on a computer's hard drive. They... |
| SRG-NET-000214-IDPS-000172 | Medium | The IDPS must establish a trusted communications path between the user and organizationally defined security functions within the information system. | To safeguard critical information that could be used by a malicious user to compromise the device or the entire network infrastructure, a trusted path is required for high-confidence connections... |
| SRG-NET-000163-IDPS-000145 | Medium | The IDPS must enforce maximum password lifetime restrictions. | Authorization for access to any IDPS requires an approved and assigned individual account identifier. To ensure only the assigned individual is using the account, the account holder must create a... |
| SRG-NET-000122-IDPS-000113 | Medium | The IDPS must enforce a two-person rule for changes to organizationally defined information system components and system-level information. | Changes to any software components of the IDPS can have significant effects on the overall security of the network. Therefore, only qualified and authorized individuals should be allowed... |
| SRG-NET-000015-IDPS-000040 | Medium | The IDPS must be configured to work with an authentication server to enforce the assigned privilege and authorization level for each administrator. | The use of authentication, authorization, and accounting (AAA) affords the best methods for controlling user access, authorization levels, and activity logging. Privilege levels, as well as, which... |
| SRG-NET-000233-IDPS-000190 | Medium | The IDPS must allow only system generated session identifiers. | Peering neighbors must have a level of trust with each other since information being shared is used to provide network services, connectivity, and optimized routing. Corrupted or erroneous... |
| SRG-NET-000249-IDPS-NA | Medium | The IDPS must be configured to perform organizationally defined actions in response to malicious code detection. | Malicious code includes viruses, worms, Trojan horses, and spyware. The code provides the ability for a malicious user to read from and write to files and folders on a computer's hard drive. They... |
| SRG-NET-000124-IDPS-000115 | Medium | The IDPS must implement automatic safeguards and countermeasures if security functions or mechanisms are changed inappropriately. | Changes to any software components of the IDPS can have significant effects on the overall security of the network. Therefore, only qualified and authorized individuals are allowed administrative... |
| SRG-NET-000232-IDPS-000189 | Medium | The IDPS must generate a unique session identifier for each session. | Peering neighbors must have a level of trust with each other since information being shared is used to provide network services, connectivity, and optimized routing. Corrupted or erroneous... |
| SRG-NET-000128-IDPS-000120 | Medium | The IDPS must employ automated mechanisms to respond to unauthorized changes to organizationally defined configuration settings. | Uncoordinated or incorrect configuration changes to network components can potentially lead to network outages and possibly compromises. Centrally managing configuration changes for the IDPS can... |
| SRG-NET-000241-IDPS-NA | Medium | The IDPS must protect the integrity of information during the processes of data aggregation, packaging, and transformation in preparation for transmission. | Information can be subjected to unauthorized changes (e.g., malicious or unintentional modification) at information aggregation or protocol transformation points.
This control is covered as part... |
| SRG-NET-000213-IDPS-000171 | Medium | The IDPS must terminate the connection associated with a communications session at the end of the session or after an organizationally defined time period of inactivity. | Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled between the managed IDPS and a... |
| SRG-NET-000301-IDPS-NA | Medium | The network element must provide the means to indicate the security status of child subspaces and (if the child supports secure resolution services) enable verification of a chain of trust among parent and child domains. | A recursive resolving or caching domain name system (DNS) server is an example of an information system that provides name/address resolution service for local clients. Authoritative DNS servers... |
| SRG-NET-000132-IDPS-NA | Medium | The IDPS must employ automated mechanisms to detect the addition of unauthorized components or devices. | Centrally managing configuration changes for all network devices can ensure they are done at the correct time and if necessary in synchronization with each other which can be vital for nodes that... |
| SRG-NET-000145-IDPS-NA | Medium | The IDPS must enforce multifactor authentication for network access to non-privileged accounts where one of the factors is provided by a device separate from the IDPS being accessed. | Multifactor authentication is defined as: using two or more factors to achieve authentication.
Factors include:
(i) something you know (e.g. password/PIN);
(ii) something you have (e.g.,... |
| SRG-NET-000125-IDPS-000117 | Medium | The IDPS must employ automated mechanisms to centrally manage configuration settings. | Uncoordinated or incorrect configuration changes to network components can potentially lead to network outages and possibly compromises. Centrally managing configuration changes for the IDPS can... |
| SRG-NET-000211-IDPS-000214 | Medium | The IDPS must employ cryptographic mechanisms to prevent unauthorized disclosure of information during transmission unless otherwise protected by alternative physical measures. | If the organization is relying on a commercial service provider for transmission services as a commodity item rather than a fully dedicated service for both internal and external connectivity, it... |
| SRG-NET-000282-IDPS-NA | Medium | The IDPS must decompose information into policy-relevant subcomponents for submission to policy enforcement mechanisms when transferring information between different security domains. | Information must be decomposed into policy-relevant subcomponents, so the applicable policies and filters can be applied when information is being transferred between different security domains.... |
| SRG-NET-000284-IDPS-NA | Medium | The IDPS must detect unsanctioned information when transferring information between different security domains. | Information flow control regulates where information is allowed to travel within a network and between interconnected networks. The flow of all network traffic must be monitored and controlled, so... |
| SRG-NET-000181-IDPS-000168 | Medium | The IDPS must be configured to detect the presence of unauthorized software on organizational information systems. | The goal of running vulnerability assessment scans is to identify devices on your network that are open to known vulnerabilities. Malicious software such as Trojan horses, hacker tools, DDoS... |
| SRG-NET-000181-IDPS-000169 | Medium | The IDPS administrator will review whitelists and blacklists regularly and validate all entries to ensure they are still accurate and necessary. | A blacklist is a list of discrete entities, such as hosts, TCP or UDP port numbers, ICMP types and codes, applications, usernames, URLs, filenames, or file extensions, that have been previously... |
| SRG-NET-000143-IDPS-000133 | Medium | System administrators must be authenticated with an individual authenticator prior to using a group authenticator. | To assure individual accountability and prevent unauthorized access, organizational users shall be individually identified and authenticated. Sharing group accounts on any device is prohibited. If... |
| SRG-NET-000260-IDPS-000241 | Medium | The IDPS must take an organizationally defined list of least-disruptive actions to terminate suspicious events. | Monitoring outbound traffic enables the network operator to detect an attack towards another network with the local enclave as the base. When a compromise, potential compromise, or breach has been... |
| SRG-NET-000221-IDPS-000170 | Medium | The IDPS must employ NSA-approved cryptography to protect classified information. | Whether a network is being managed locally or from a Network Operations Center (NOC), achieving network management objectives depends on comprehensive and reliable network management solutions. To... |
| SRG-NET-000071-IDPS-000018 | Medium | If the site uses a continuous WIDS scanning, then the system must be configured to meet requirements. | Unauthorized WLAN devices threaten DoD networks in a variety of ways. If someone installs an access point on a DoD network, then people may use that access point to access network resources... |
| SRG-NET-000153-IDPS-000142 | Medium | The IDPS must enforce minimum password length. | Authorization for access to any IDPS requires an approved and assigned individual account identifier. To ensure only the assigned individual is using the account, the account holder must create a... |
| SRG-NET-000086-IDPS-000090 | Medium | The IDPS must enforce configurable traffic volume thresholds representing logging capacity for network traffic to be logged. | Different applications have unique requirements and toleration levels for delay, jitter, bandwidth, packet loss, and availability. To manage the multitude of applications and services, a network... |
| SRG-NET-000071-IDPS-000017 | Medium | The site must scan the radio frequency spectrum for unauthorized WLAN devices. | Unauthorized WLAN devices threaten DoD networks in a variety of ways. If someone installs an access point on a DoD network, then people may use that access point to access network resources... |
| SRG-NET-000280-IDPS-000052 | Medium | The IDPS must enforce information flow control on metadata. | Metadata is defined as data providing information about one or more pieces of data such as purpose of the data, author or creator of the data, network location of where data was created, and... |
| SRG-NET-000183-IDPS-000186 | Medium | The IDPS must prevent the exposure of network management traffic onto a user or production network. | Network management is the process of monitoring the IDPS and links, configuring the IDPS to turn up and disable network services, the collection of performance, diagnostics, and other relevant... |
| SRG-NET-000110-IDPS-000071 | Medium | The IDPS management consoles must be logically installed on the management network. | The central management console or data management console server. Provide a central location to store, view, analyze, and produce detailed reports on alerts. This server must be installed on a... |
| SRG-NET-000026-IDPS-000048 | Medium | The IDPS must uniquely identify destination domains for information transfer. | Identifying source and destination addresses for information flows within the network allows forensic reconstruction of events when required, and increases policy compliance by attributing policy... |
| SRG-NET-000025-IDPS-NA | Medium | The IDPS must uniquely authenticate source domains for information transfer. | Identifying source and destination addresses for information flows within the network allows forensic reconstruction of events when required, and increases policy compliance by attributing policy... |
| SRG-NET-000256-IDPS-000238 | Medium | The IPS must be configured to monitor inbound and outbound TCP and UDP packets, dropping traffic using prohibited port numbers. | Monitoring outbound traffic enables the network operator to detect an attack towards another network with the local enclave as the base. Monitoring outbound traffic can also detect abnormal... |
| SRG-NET-000147-IDPS-NA | Medium | The IDPS must use organizationally defined replay-resistant authentication mechanisms for network access to non-privileged accounts. | Authorization for access to any IDPS requires an approved and assigned individual account identifier. The authenticator must be a separate device than the target device for which the individual is... |
| SRG-NET-000036-IDPS-000057 | Medium | The IDPS must provide the capability for a privileged administrator to configure organizationally defined security policy filters to support different security policies. | Each account should grant access to only those privileges the system administrator is authorized for. By not restricting system administrators to their proper privilege levels, access to... |
| SRG-NET-000162-IDPS-000146 | Medium | The IDPS must enforce minimum password lifetime restrictions. | Authorization for access to any IDPS requires an approved and assigned individual account identifier. To ensure only the assigned individual is using the account, the account holder must create a... |
| SRG-NET-000088-IDPS-000092 | Medium | The IDPS must be configured to send an alert to designated personnel in the event of an audit processing failure. | Auditing and logging are key components of any security architecture. It is essential that security personnel know what is being done, what attempted to be done, where it was done, when it was... |
| SRG-NET-000040-IDPS-000059 | Medium | The IDPS must automatically lock out an account after the maximum number of unsuccessful login attempts are exceeded and remain locked until released by an administrator. | Locking out an account after a maximum number of unsuccessful login attempts are exceeded will reduce the risk of unauthorized system access via password guessing. |
| SRG-NET-000200-IDPS-000207 | Medium | The IPS must enforce strict adherence to protocol format. | Crafted packets not conforming to Institute of Electrical and Electronics Engineers (IEEE) standards can be used by malicious people to exploit a host's protocol stack to create a Denial of... |
| SRG-NET-000038-IDPS-000058 | Medium | The maximum number of unsuccessful login attempts must be set to an organizationally defined value.
| A malicious or unauthorized user could gain access to an IDPS by guessing or using methods such as dictionary attack, word list substitution, or brute force attack-all of which require multiple... |
| SRG-NET-000225-IDPS-000181 | Medium | The IDPS must associate security attributes with information exchanged between information systems. | Security attributes are associated with internal structures within the IDPS application used to enable the implementation of access control and flow control policies or support other aspects of... |
| SRG-NET-000271-IDPS-000247 | Medium | The IDPS must detect unauthorized changes to software and information. | Anomalous behavior and unauthorized changes must be detected before the IDPS is breeched or no longer in service. Identifying the source and method used to make the unauthorized change will help... |
| SRG-NET-000302-IDPS-NA | Medium | The network element must perform data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources when requested by client systems. | A recursive resolving or caching domain name system (DNS) server is an example of an information system that provides name/address resolution service for local clients. Authoritative DNS servers... |
| SRG-NET-000258-IDPS-000240 | Medium | The IDPS must be installed in stealth mode without an IP address on the interface with data flow. | Both passive and inline sensors must be installed in stealth mode. For stealth mode, an IP address is not assigned to the network interfaces used to monitor network traffic. Only network... |
| SRG-NET-000031-IDPS-NA | Medium | The IDPS must terminate all tunnels prior to passing through the perimeter security zone. | Allowing traffic to bypass the security checkpoints such as firewalls and intrusion detection systems puts the network infrastructure and critical data at risk. Malicious traffic could enter the... |
| SRG-NET-000178-IDPS-000165 | Medium | The IDPS must terminate all sessions when non-local maintenance is completed. | In the event the remote node has abnormally terminated or an upstream link from the managed device is down, the management session will be terminated; thereby, freeing device resources and... |
| SRG-NET-000100-IDPS-000109 | Medium | The IDPS must protect application audit and sensor event logs are protected from unauthorized deletion. | Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured system.... |
| SRG-NET-000110-IDPS-000070 | Medium | The IDPS must provide a centralized management console/server that compiles data from the agents and sensors. | Sensors and agents monitor and analyze activity. The term sensor is typically used for the IDPS that monitor networks, including network-based, wireless, and network behavior analysis... |
| SRG-NET-000133-IDPS-000122 | Medium | The IDPS must employ automated mechanisms to prevent program execution in accordance with organization defined specifications. | A compromised IDPS introduces risk to the entire network infrastructure as well as data resources accessible via the network. The perimeter defense has no oversight or control of attacks by... |
| SRG-NET-000150-IDPS-000137 | Medium | The IDPS must authenticate devices before establishing wireless network connections using bidirectional authentication between cryptographically based devices. | Without authentication, an unauthorized device can easily connect to a nearby access-point (AP) within the enclave. In addition, a rogue AP owned by an attacker can accept connections from... |
| SRG-NET-000255-IDPS-NA | Medium | IDPS sensors must interconnect and configure individual intrusion detection tools into a system-wide intrusion detection system using common protocols. | IDPS sensor must be deployed at strategic locations within the network. At a minimum, they should be deployed within the DMZ and behind the firewall. It is important to not only monitor traffic... |
| SRG-NET-000140-IDPS-NA | Medium | The IDPS must use multi-factor authentication for network access to non-privileged accounts. | Multifactor authentication is defined as: using two or more factors to achieve authentication.
Factors include:
(i) something you know (e.g. password/PIN);
(ii) something you have (e.g.,... |
| SRG-NET-000248-IDPS-NA | Medium | The IDPS must be configured to perform real-time scans of files from external sources as they are downloaded and prior to being opened or executed | Malicious code includes viruses, worms, Trojan horses, and spyware. The code provides the ability for a malicious user to read from and write to files and folders on a computer's hard drive. They... |
| SRG-NET-000308-IDPS-000175 | Medium | The IDPS must employ FIPS-validated or NSA-approved cryptography to implement digital signatures. | Cryptography is only as strong as the encryption algorithms employed to encrypt the data. Use of weak or untested certificates undermines the purposes of utilizing encryption to protect data.... |
| SRG-NET-000132-IDPS-000124 | Medium | The IDPS must be configured to prohibit or restrict the use of ports, protocols, and services in accordance with organizationally defined requirements. | A compromised network element introduces risk to the entire network infrastructure as well as data resources that are accessible via the network. The perimeter defense has no oversight or control... |
| SRG-NET-000246-IDPS-NA | Medium | The IDPS must update malicious code protection mechanisms and signature definitions whenever new releases are available in accordance with organizational configuration management policy and procedures. | Malicious code includes viruses, worms, Trojan horses, and spyware. The code provides the ability for a malicious user to read from and write to files and folders on a computer's hard drive. They... |
| SRG-NET-000191-IDPS-NA | Medium | The IDPS must protect against or limits the effects of Denial of Service (DoS) attacks. | An IDPS experiencing a DoS attack will not be able to handle production traffic load. The high utilization and CPU caused by a DoS attack will also have an effect on control keep-alives and timers... |
| SRG-NET-000204-IDPS-000209 | Medium | The IPS must monitor and enforce filtering of internal addresses posing a threat to external information systems. | Monitoring and filtering the outbound traffic adds a layer of protection to the enclave.
Unlike an IDS, an IPS can both detect and take action to prevent harmful traffic from leaving the... |
| SRG-NET-000177-IDPS-000164 | Medium | The IDPS must enforce identification and authentication for the establishment of non-local maintenance and diagnostic sessions. | Lack of authentication enables anyone to gain access to the network or possibly an IDPS providing opportunity for intruders to compromise resources within the network infrastructure. Network... |
| SRG-NET-000142-IDPS-NA | Medium | The IDPS must use multifactor authentication for local access to non-privileged accounts. | Multifactor authentication is defined as: using two or more factors to achieve authentication.
Factors include:
(i) something you know (e.g. password/PIN);
(ii) something you have (e.g.,... |
| SRG-NET-000252-IDPS-NA | Medium | The IDPS must prevent non-privileged users from circumventing malicious code protection capabilities. | It is critical the protection mechanisms used to detect and contain this code are not tampered with by unauthorized users. This control pertains to anti-virus products which are out of scope. |
| SRG-NET-000306-IDPS-000037 | Low | The IDPS must enforce a Discretionary Access Control (DAC) policy that limits propagation of access rights. | Access control policies (e.g., identity-based policies, role-based policies, etc) and access enforcement mechanisms (e.g., access control lists, policy maps, and cryptography) are used to control... |
| SRG-NET-000074-IDPS-000081 | Low | The IDPS must produce sensor log records that contain sufficient information to establish what type of event occurred. | It is essential for security personnel to know what is being done, what attempted to be done, where it was done, when it was done, and by whom in order to compile an accurate risk assessment.... |
| SRG-NET-000082-IDPS-000085 | Low | The IDPS must be configured to allocate audit record storage capacity. | The IDPS must allocate storage capacity to contain log records. Log records on the sensors are critical because if space is not available the sensor may malfunction. The site would lose valuable... |
| SRG-NET-000001-IDPS-000021 | Low | The IDPS must provide automated support for account management functions. | Account management and distribution is vital to the security of any IDPS. Account management by a designated authority ensures access to IDPS is being controlled in a secured manner by granting... |
| SRG-NET-000278-IDPS-000011 | Low | The IDPS must display security attributes in human-readable form on each object output from the system to system output devices to identify an organizationally identified set of special dissemination, handling, or distribution instructions organizationally identified human readable, standard naming conventions. | When applications generate or output data, the associated security attributes need to be displayed. Security attributes are abstractions representing the basic properties or characteristics of an... |
| SRG-NET-000097-IDPS-000097 | Low | The IDPS must be configured to use a minimum of two Network Time Protocol (NTP) servers to synchronize time. | The various components within the network infrastructure providing the log records must have their clocks synchronized using a common time reference so the events can be correlated in exact order... |
| SRG-NET-000093-IDPS-000096 | Low | Audit log reduction must be enabled on the IDPS. | Log reduction is the capability of a system to consolidate, archive and compress audit logs. This process saves space when saving these logs over a long time period. Log entries must not be... |
| SRG-NET-000107-IDPS-000106 | Low | The IDPS must use cryptography to protect the integrity of audit tools. | Audit tools provide services such as audit reduction, reporting, or analysis. Without mechanisms such as a signed hash using asymmetric cryptography, the integrity of the collected data garnered... |
| SRG-NET-000105-IDPS-000104 | Low | The IDPS must backup system level and sensor event log records on an organizationally defined frequency onto a different system or media. | Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what attempted to be done, where it was done, when it was... |
| SRG-NET-000090-IDPS-000094 | Low | The IDPS must integrate audit review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities. | Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what attempted to be done, where it was done, when it was... |
| SRG-NET-000011-IDPS-000031 | Low | The IDPS must automatically audit account termination. | Account management by a designated authority ensures access to the IDPS is being controlled in a secured manner by granting access to only authorized personnel with the appropriate and necessary... |
| SRG-NET-000270-IDPS-000245 | Low | The IDPS must provide automated support for the management of distributed security testing. | The need to verify security functionality is necessary to ensure the IDPS's defense is enabled. To scale the deployment of the verification process, the IDPS must provide automated support for... |
| SRG-NET-000051-IDPS-000066 | Low | The IDPS must notify the user of the number of unsuccessful login attempts to the local device occurring during organizationally defined time period. | Providing users with information regarding the number of unsuccessful logon attempts to the local device that has occurred over an organizationally defined time period. Without this information,... |
| SRG-NET-000017-IDPS-000036 | Low | The IDPS must implement nondiscretionary access control policies over users and resources. | When nondiscretionary access control mechanisms are implemented, security labels are assigned to securable objects and users are granted access to the objects only if their level of access matches... |
| SRG-NET-000052-IDPS-000068 | Low | The IDPS must notify the user of organizationally defined security related changes to the user's account occurring during the organizationally defined time period. | Providing users with information regarding organizationally defined security related changes to the user's account occurring during the organizationally defined time period, allows the user to... |
| SRG-NET-000307-IDPS-000038 | Low | The IDPS must enforce a DAC policy that includes or excludes access to the granularity of a single user. | Access control policies (e.g., identity-based policies, role-based policies, etc) and access enforcement mechanisms (e.g., access control lists, policy maps, cryptography) are employed by... |
| SRG-NET-000080-IDPS-000077 | Low | The IDPS must capture and log alerts that contain detailed information for events identified by type, location, and subject. | Audit record content that may be necessary to satisfy the requirement of this control, includes, timestamps, source and destination addresses, user/process identifiers, event descriptions,... |
| SRG-NET-000082-IDPS-000087 | Low | The IDPS must provide a warning when the logging storage capacity reaches 75% of maximum capacity. | It is imperative the IDPS is configured to allocate storage capacity to contain log records and an alert is generated when the capacity reaches an organization-defined threshold. Without this... |
| SRG-NET-000089-IDPS-000093 | Low | The IDPS must be configured to stop generating log records or overwrite the oldest log records when an audit failure occurs. | Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what attempted to be done, where it was done, when it was... |
| SRG-NET-000049-IDPS-000065 | Low | Upon successful logon, the IDPS must display, to the user, the number of unsuccessful logon attempts since the last successful logon. | Providing users with information regarding the number of unsuccessful logon attempts since the last successful login. Without this information, the user may not become aware that unauthorized... |
| SRG-NET-000072-IDPS-NA | Low | The IDPS must enforce requirements for the connection of mobile devices to organizational information systems. | Wireless services enable users within close proximity of access points to have access to data and services within the private network. The security boundary of a Wireless LAN extends from the... |
| SRG-NET-000079-IDPS-000076 | Low | The IDPS must capture and log sufficient information to establish the identity of any user accounts associated with the event. | Log records content that may be necessary to satisfy the requirement of this control includes: timestamps, source and destination addresses, user/process identifiers, event descriptions,... |
| SRG-NET-000083-IDPS-000086 | Low | The IDPS logging function must be configured to reduce the likelihood of log record capacity being exceeded. | Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what attempted to be done, where it was done, when it was... |
| SRG-NET-000095-IDPS-000095 | Low | The IDPS must provide the capability to automatically process log records for events of interest based upon selectable criteria. | Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what attempted to be done, where it was done, when it was... |
| SRG-NET-000043-IDPS-000063 | Low | The IDPS must display an approved system use notification message or banner before granting access to the device. | All network devices must present a DoD approved warning banner before granting access to the device. The banner shall be formatted in accordance with the DoD policy "Use of DoD Information... |
| SRG-NET-000050-IDPS-000067 | Low | The IDPS must notify the user of the number of successful login attempts to the local device occurring during an organizationally defined time period. | Providing users with information regarding the date and time of their last successful login allows the user to determine if any unauthorized activity has occurred and gives them an opportunity to... |
| SRG-NET-000238-IDPS-000196 | Low | The IDPS must protect the confidentiality and integrity of system information at rest. | This control is intended to address the confidentiality and integrity of system information at rest when it is located on a secondary storage device within the IDPS. It is imperative that system... |
| SRG-NET-000236-IDPS-000192 | Low | The IDPS must preserve organizationally defined system state information in the event of a system failure. | Failure in a known state can address safety or security in accordance with the mission needs of the organization. Failure in a known secure state helps prevent a loss of confidentiality,... |
| SRG-NET-000066-IDPS-000015 | Low | The network element must audit remote sessions for accessing an organizationally defined list of security functions and security-relevant information. | Remote access services enable users outside of the enclave to have access to data and services within the private network. In many instances these connections traverse the Internet. Monitoring of... |
| SRG-NET-000268-IDPS-000244 | Low | The IDPS must respond to security function anomalies in accordance with organizationally defined responses and alternative actions. | Verification of security functionality is necessary to ensure the system's defenses are enabled. These anomalies are detected by running self-tests on each component in the IDPS. For those... |
| SRG-NET-000267-IDPS-000245 | Low | The IDPS must be configured to perform periodic self-tests that verify security functionality is operational during system state changes (i.e., initialization, shutdown, and aborts.). | The integrity of security functions during system state changes will be periodically tested. Tests will determine the system is operating as required during each system state. The organization... |
| SRG-NET-000137-IDPS-000129 | Low | The IDPS must support organizational requirements to conduct backups of information system documentation including security related documentation per organizationally defined frequency that is consistent with recovery time and recovery point object | System information contained on an IDPS contains default and customized attributes as well as software required for the execution and operation of the device. If this information becomes corrupted... |
| SRG-NET-000010-IDPS-000026 | Low | The IDPS must notify the account owner when the account has been disabled. | Account management by a designated authority ensures access to the IDPS is being controlled in a secured manner by granting access to only authorized personnel with the appropriate and necessary... |
| SRG-NET-000102-IDPS-000102 | Low | The IDPS must protect audit tools from unauthorized modification. | Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what attempted to be done, where it was done, when it was... |
| SRG-NET-000304-IDPS-NA | Low | The network element that collectively provides name/address resolution service for an organization must be fault-tolerant. | A domain name system (DNS) server is an example of an information system that provides name/address resolution service. To eliminate single points of failure and to enhance redundancy, there are... |
| SRG-NET-000005-IDPS-000028 | Low | The IDPS must automatically audit the creation of accounts. | Account management and distribution is vital to the security of any IDPS. Account management by a designated authority ensures access to the IDPS is being controlled in a secured manner by... |
| SRG-NET-000012-IDPS-000027 | Low | The IDPS must notify the appropriate individuals for account termination. | Account management by a designated authority ensures access to the IDPS is being controlled in a secured manner by granting access to only authorized personnel with the appropriate and necessary... |
| SRG-NET-000096-IDPS-000099 | Low | The IDPS must use internal system clocks to generate timestamps for audit records. | Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what attempted to be done, where it was done, when it was... |
| SRG-NET-000078-IDPS-000084 | Low | The IDPS must produce log records containing sufficient information to determine if the event was a success or failure. | It is essential for security personnel to know what is being done, what attempted to be done, where it was done, when it was done, and by whom in order to compile an accurate risk assessment.... |
| SRG-NET-000085-IDPS-000088 | Low | The IDPS must provide a real-time alert when organizationally defined audit failure events occur. | Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what attempted to be done, where it was done, when it was... |
| SRG-NET-000076-IDPS-000082 | Low | The IDPS must produce log records containing sufficient information to establish where the events occurred. | It is essential for security personnel to know what is being done, what attempted to be done, where it was done, when it was done, and by whom in order to compile an accurate risk assessment.... |
| SRG-NET-000048-IDPS-000064 | Low | Upon successful logon, the IDPS must display the date and time of the last logon of the user. | Providing users with information regarding the date and time of their last successful login allows the user to determine if any unauthorized activity has occurred and gives them an opportunity to... |
| SRG-NET-000148-IDPS-000139 | Low | The IDPS must authenticate an organizationally defined list of specific devices by device type before establishing a connection. | An IDPS must have a level of trust with any node wanting to connect to it. The remote node could be a host device requiring a layer 2 connection to the network or a router wanting to peer as a... |
| SRG-NET-000035-IDPS-000056 | Low | The IDPS must audit the use of privileged accounts when accessing configuration and operational commands enabled for non-privileged accounts. | The IDPS implementation may include tools and applications which are valuable for some network users. By default, non-privileged users cannot access or execute these commands. However, the... |
| SRG-NET-000235-IDPS-000193 | Low | The IDPS must fail to an organizationally defined known-state for organizationally defined types of failures. | Failure in a known state can address safety or security in accordance with the mission needs of the organization. Failure to a state that is known to be secure helps prevent the loss of... |
| SRG-NET-000073-IDPS-NA | Low | The IDPS must be configured to disable functionality that provides the capability for automatic execution of code on mobile devices without user direction. | Auto execution vulnerabilities can result in malicious programs being executed that can be used to cause a denial of service on the device and hence disrupt network services.
Examples of... |
| SRG-NET-000003-IDPS-000022 | Low | The IDPS must automatically terminate emergency accounts after an organizationally defined time period. | Authentication for administrative access to the device is required at all times. A single account can be created on the device's local data management console for use in an emergency such as when... |
| SRG-NET-000060-IDPS-000009 | Low | Accounts must be removed from the IDPS, when no longer required. | Allowing unnecessary or unauthorized accounts may allow for them to be compromised by unauthorized users who could then gain full control of the device. DoS attacks, interception of sensitive... |
| SRG-NET-000274-IDPS-000218 | Low | The IDPS must activate an organizationally defined alarm when a system component failure is detected. | An IDPS with a failing security component can potentially put the entire network at risk. If key components to maintaining network security fail to function, it is possible the IDPS will continue... |
| SRG-NET-000094-IDPS-NA | Low | The IDPS must provide a report generation capability. | Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what attempted to be done, where it was done, when it was... |
| SRG-NET-000034-IDPS-000055 | Low | Organizationally defined authorizations must be implemented through organizationally defined separation of duties through use of group memberships. | The use of AAA affords the best methods for controlling authorization levels. The use of an authentication server provides the capability to assign network administrators and engineers to tiered... |
| SRG-NET-000242-IDPS-000219 | Low | The IDPS must be configured to automatically check for security updates to the application software on an organizationally defined frequency. | It is imperative that the activity promptly installs security-relevant software updates to mitigate the risk of new vulnerabilities. Flaws discovered during security assessments, continuous... |
| SRG-NET-000041-IDPS-000061 | Low | The IDPS must display an approved system use notification message (or banner) before granting access to the system. | All network devices must present a DoD approved warning banner prior to a system administrator logging on. The banner should warn any unauthorized user not to proceed. It also should provide clear... |
| SRG-NET-000157-IDPS-000149 | Low | The IDPS must enforce password complexity by the number of numeric characters used. | Authorization for access to any IDPS requires an approved and assigned individual account identifier. To ensure only the assigned individual is using the account, the account holder must create a... |
| SRG-NET-000007-IDPS-000032 | Low | The IDPS must automatically audit account modification. | Account management by a designated authority ensures access to the IDPS is being controlled in a secured manner by granting access to only authorized personnel with the appropriate and necessary... |
| SRG-NET-000135-IDPS-000127 | Low | The IDPS must support organizational requirements to conduct backups of user-level information contained in the device per organizationally defined frequency that is consistent with recovery time and recovery point objectives. | User information contained on an IDPS is associated to the users account and the resources the user is authorized to access. If this information becomes corrupted by hardware failures or by a... |
| SRG-NET-000013-IDPS-000033 | Low | The IDPS must monitor for unusual usage of administrative user accounts. | Atypical account usage is behavior that is not part of normal usage cycles (e.g., accounts logging in after hours or on weekends.) If this atypical behavior is not monitored, user accounts that... |
| SRG-NET-000008-IDPS-000029 | Low | The IDPS must notify the designated system administrators when accounts are modified. | Account management and distribution is vital to the security of any IDPS. Account management by a designated authority ensures access to the IDPS is being controlled in a secured manner by... |
| SRG-NET-000173-IDPS-000160 | Low | The IDPS must log non-local maintenance and diagnostic sessions. | Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what attempted to be done, where it was done, when it was... |
| SRG-NET-000159-IDPS-000148 | Low | The IDPS must enforce the number of characters changed when passwords are changed. | Authorization for access to any IDPS requires an approved and assigned individual account identifier. To ensure only the assigned individual is using the account, the account holder must create a... |
| SRG-NET-000155-IDPS-000150 | Low | The IDPS must enforce password complexity by the number of upper case characters used. | Authorization for access to any IDPS requires an approved and assigned individual account identifier. To ensure only the assigned individual is using the account, the account holder must create a... |
| SRG-NET-000242-IDPS-000220 | Low | The IDPS must use a vendor-supported version of the firmware and application software. | The system administrator must monitor IAVM, OS, or OEM patch or vulnerability notices.
Software flaw remediation and tracking is ideally performed by a patch management/remediation server.... |
| SRG-NET-000104-IDPS-NA | Low | The IDPS must produce audit records on hardware-enforced write-once media. | It is imperative the collected log data from the various the IDPS is secured and stored on write-once media for safekeeping.
This is not applicable for IDPS. Sensor logs are aggregated onto a... |
| SRG-NET-000136-IDPS-000128 | Low | The IDPS must support organizational requirements to conduct backups of system-level information contained in the information system per organizationally defined frequency. | System information contained on an IDPS contains default and customized attributes, as well as software required for the execution and operation of the device. If this information becomes... |
| SRG-NET-000053-IDPS-000001 | Low | The IDPS must limit the number of concurrent sessions for each account to an organizationally defined number. | This requirement addresses concurrent sessions for a given information system account and does not address concurrent sessions by a single user via multiple accounts. In many products, this value... |
| SRG-NET-000004-IDPS-000024 | Low | The IDPS must automatically disable inactive accounts after an organizationally defined time period of inactivity. | There is always a risk for inactive accounts to be compromised by unauthorized users who could then gain full control of the device; thereby enabling them to trigger a Does attacks, intercept... |
| SRG-NET-000091-IDPS-NA | Low | The IDPS must centralize the review and analysis of audit records from multiple network elements within the network. | Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what attempted to be done, where it was done, when it was... |
| SRG-NET-000075-IDPS-000083 | Low | The IDPS must produce log records containing sufficient information to establish when the events occurred. | It is essential for security personnel to know what is being done, what attempted to be done, where it was done, when it was done, and by whom in order to compile an accurate risk assessment.... |
| SRG-NET-000042-IDPS-000062 | Low | The IDPS must display the notification message on the screen until the administrator takes explicit action to acknowledge the message. | All network devices must present a DoD approved warning banner prior to a system administrator logging on. The banner should be acknowledged by the user prior to allowing the user access to the... |
| SRG-NET-000230-IDPS-000187 | Low | The IDPS must provide mechanisms to protect the authenticity of communications sessions. | Peering neighbors must have a level of trust with each other since information being shared is used to provide network services, connectivity, and optimized routing. Corrupted or erroneous... |
| SRG-NET-000101-IDPS-000101 | Low | The IDPS must protect audit tools from unauthorized access. | Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what attempted to be done, where it was done, when it was... |
| SRG-NET-000006-IDPS-000025 | Low | The IDPS must notify the appropriate individuals when accounts are created. | Account management and distribution is vital to the security of any IDPS. Account management by a designated authority ensures access to IDPS components is secured by granting access to only... |
| SRG-NET-000009-IDPS-000030 | Low | The IDPS must automatically audit account disabling actions. | Account management by a designated authority ensures access to the IDPS is being controlled in a secured manner by granting access to only authorized personnel with the appropriate and necessary... |
| SRG-NET-000272-IDPS-000216 | Low | The IDPS must identify and respond to potential security-relevant error conditions. | Error messages generated by various components and services of the network devices can indicate a possible security violation or breach. It is imperative the IDPS is configured to be able to... |
| SRG-NET-000305-IDPS-NA | Low | The network element that collectively provides name/address resolution service for an organization must implement internal/external role separation. | A domain name system (DNS) server is an example of an information system that provides name/address resolution service. To eliminate single points of failure and to enhance redundancy, there are... |
