UCF STIG Viewer Logo

Intrusion Detection and Prevention Systems (IDPS) Security Requirements Guide


Overview

Date Finding Count (317)
2012-11-19 CAT I (High): 2 CAT II (Med): 167 CAT III (Low): 148
STIG Description
The IDPS Security Requirements Guide (SRG) is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the NIST 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.letterkenny.FSO.mbx.stig-customer-support-mailbox@mail.mil.

Available Profiles



Findings (MAC II - Mission Support Classified)

Finding ID Severity Title
V-34526 High The IDPS must allow authorized system administrators to associate security attributes with information.
V-34524 High The IDPS must allow only authorized administrators to change security attributes.
V-34633 Medium The IDPS must use multifactor authentication for network access to privileged accounts.
V-34637 Medium The IDPS must support the organizational requirement to ensure individuals are authenticated with an individual authenticator prior to using a group authenticator.
V-34638 Medium The IDPS must enforce multifactor authentication for network access to privileged accounts where one of the factors is provided by a device separate from the IDPS being accessed.
V-34739 Medium The IDPS must associate security attributes with information exchanged between information systems.
V-34738 Medium The IDPS must protect the integrity and availability of publicly available information and applications.
V-34735 Medium The IDPS must employ FIPS-validated cryptography to protect unclassified information.
V-34734 Medium The IDPS must employ cryptographic protections using cryptographic modules complying with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
V-34567 Medium The IDPS must protect sensor event logs from unauthorized deletion.
V-34580 Medium The IDPS must protect audit tools from unauthorized modification.
V-34564 Medium The site must monitor the radio frequency spectrum for unauthorized WLAN devices.
V-34500 Medium All encrypted traffic must be decrypted prior to passing through content inspection and filtering mechanisms.
V-34501 Medium The IDPS must enforce organizationally defined limitations on the embedding of data types within other data types.
V-34502 Medium The IDPS must enforce information flow control using organizationally defined security policy filters as a basis for flow control decisions.
V-34504 Medium The network element must require users of information system accounts, or roles, with access to organizationally defined security functions or security relevant information, use non-privileged accounts or roles, when accessing non-security functions.
V-34505 Medium The IDPS must provide the capability for a privileged administrator to configure organizationally defined security policy filters to support different security policies.
V-34506 Medium The IDPS must be configured to automatically disable the monitored device if any of the organizationally defined lists of security violations are detected.
V-34507 Medium The IDPS must enforce the organizationally defined limit of consecutive invalid access attempts by a user during the organizationally defined time period.
V-34508 Medium The IDPS must enforce the organizationally defined time period during which the limit of consecutive invalid access attempts by a user is counted.
V-34509 Medium The IDPS must automatically lock out an account after the maximum number of unsuccessful login attempts are exceeded and remain locked for an organizationally defined time period or until released by an administrator.
V-34563 Medium The IDPS must provide a centralized management console/server that consolidates sensor logs from the agents and sensors.
V-34647 Medium The network element must dynamically manage identifiers, attributes, and associated access authorizations.
V-34481 Medium The IDPS must enforce approved authorizations for logical access to IDPS components in accordance with applicable policy.
V-34482 Medium The IDPS must enforce dual authorization based on organizational policies and procedures for organizationally defined privileged commands.
V-34485 Medium The IDPS must enforce approved authorizations for controlling the flow of information between interconnected systems in accordance with applicable policy.
V-34484 Medium The IDPS must enforce approved authorizations for controlling the flow of information within the system and its components in accordance with applicable policy.
V-34487 Medium The IDPS management console, management server, or data management console server must reside in the management network.
V-34640 Medium The IDPS must use organizationally defined replay-resistant authentication mechanisms for network access to privileged accounts.
V-34720 Medium The IDPS must monitor and control traffic at both the external and internal boundary interfaces.
V-34488 Medium The IDPS must enforce information flow control using explicit security attributes on information, source, and destination objects as a basis for flow control decisions.
V-34722 Medium The IDPS must protect the integrity of transmitted information.
V-34723 Medium The IDPS must use cryptographic mechanisms to protect the integrity of information while in transit, unless otherwise protected by alternative physical measures.
V-34725 Medium The IDPS must protect the confidentiality of transmitted information.
V-34726 Medium The IDPS must employ cryptographic mechanisms to prevent unauthorized disclosure of information during transmission, unless otherwise protected by alternative physical measures.
V-34538 Medium The IDPS must enforce requirements for the connection of mobile devices to organizational information systems.
V-34535 Medium The network element must protect wireless access to the network using authentication.
V-34534 Medium The network element must enforce requirements for remote connections to the network.
V-34537 Medium The IDPS must monitor for unauthorized connections of mobile devices to information systems.
V-34536 Medium The network element must protect wireless access to the network using encryption.
V-34531 Medium The IDPS must monitor for unauthorized remote connections to specific information systems on an organizationally defined frequency.
V-34530 Medium The network element must route all remote access traffic through managed access control points.
V-34533 Medium The IDPS must disable use of organizationally defined networking protocols (on the IDPS components) deemed nonsecure, except for explicitly identified components in support of specific operational requirements.
V-34715 Medium The IDPS must enforce strict adherence to protocol format.
V-34714 Medium The IDPS must prevent discovery of specific system components or devices comprising a managed interface.
V-34716 Medium The IDPS must prevent access into the organizations internal networks except as explicitly permitted and controlled by employing boundary protection devices.
V-34710 Medium The IDPS must check inbound traffic to ensure the communications are coming from an authorized source and routed to an authorized destination.
V-34655 Medium The IDPS must prevent the execution of prohibited mobile code.
V-34656 Medium The IDPS must prevent the download of prohibited mobile code.
V-34657 Medium The IDPS must support organizational requirements to disable the user identifiers after an organizationally defined time period of inactivity.
V-34498 Medium The IDPS must implement security policies for all traffic flows by using security zones at various protection levels as a basis for flow control decisions.
V-34499 Medium The IDPS must enforce dynamic traffic flow control based on policy that allows/disallows information flows based on changing threat conditions or operational environment.
V-34496 Medium The IDPS must uniquely identify destination domains for information transfer.
V-34497 Medium The network element must uniquely authenticate destination domains for information transfer.
V-34494 Medium The IDPS must uniquely identify source domains for information transfer.
V-34495 Medium The network element must uniquely authenticate source domains for information transfer.
V-34492 Medium The IDPS must provide the capability for a privileged administrator to configure the organizationally defined security policy filters to support different security policies.
V-34493 Medium The IDPS must enforce security policies regarding information on interconnected systems.
V-34491 Medium The IDPS must allow authorized administrators to enable/disable organizationally defined security policy filters.
V-34528 Medium The network element must use approved cryptography to protect the confidentiality of remote access sessions.
V-34529 Medium The network element must be configured to use cryptography to protect the integrity of remote access sessions.
V-34670 Medium The IDPS must enforce minimum password length.
V-34522 Medium The IDPS must support and maintain the binding of organizationally defined security attributes to information in process.
V-34523 Medium The IDPS must dynamically reconfigure security attributes in accordance with an identified security policy as information is created and combined.
V-34521 Medium The IDPS must support and maintain the binding of organizationally defined security attributes to information in storage.
V-34527 Medium The network element must employ automated mechanisms to facilitate the monitoring and control of remote access methods.
V-34525 Medium The IDPS must maintain the binding of security attributes to information with sufficient assurance that the information to attribute association can be used as the basis for automated policy actions.
V-34702 Medium The IDPS must isolate security functions used to enforce access and information flow control from both non-security functions and from other security functions.
V-34703 Medium The IDPS must implement an isolation boundary to minimize the number of non-security functions included within the boundary containing security functions.
V-34701 Medium The IDPS must isolate security functions from non-security functions.
V-34707 Medium The IDPS must restrict the ability of users to launch DoS attacks against other information systems or networks.
V-34704 Medium The IDPS must implement security functions as a layered structure minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers.
V-34705 Medium The IDPS must prevent unauthorized and unintended information transfer via shared system resources.
V-34708 Medium The IDPS must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of DoS attacks.
V-34709 Medium The IDPS must limit the use of resources by priority.
V-34665 Medium The IDPS must prevent access to organizationally defined security-relevant information except during secure, non-operable system states.
V-34664 Medium The IDPS must enforce information flow control on metadata.
V-34625 Medium The IDPS must not have unnecessary services and capabilities enabled.
V-34620 Medium The IDPS must employ FIPS-validated or NSA-approved cryptography to implement digital signatures.
V-34790 Medium The IDPS must enforce organizationally defined one-way traffic flows.
V-34792 Medium The IDPS must support and maintain the binding of organizationally defined security attributes to information in transmission.
V-34645 Medium The IDPS must authenticate devices before establishing network connections using bidirectional authentication between cryptographically based devices.
V-34573 Medium The IDPS must allow administrators to select which rule sets are to be applied at the sensor level.
V-34776 Medium The IDPS must protect information obtained from network monitoring from unauthorized access, modification, and deletion.
V-34775 Medium The IDPS must take an organizationally defined list of least-disruptive actions to terminate suspicious events.
V-34774 Medium The IDPS must notify an organizationally defined list of incident response personnel of suspicious events.
V-34773 Medium The IDPS must be installed in stealth mode without an IP address on the interface with data flow.
V-34772 Medium The IDPS must be configured to alarm if unexpected protocols for network management enter the subnet.
V-34678 Medium The IDPS must enforce password encryption for transmission.
V-34679 Medium The IDPS must enforce minimum password lifetime restrictions.
V-34677 Medium The IDPS must enforce password encryption for storage.
V-34675 Medium The IDPS must enforce password complexity by the number of special characters used.
V-34673 Medium The IDPS must enforce password complexity by the number of lower case characters used.
V-34779 Medium The IDPS must analyze outbound communications traffic at selected interior points within the network as deemed necessary to discover anomalies.
V-34671 Medium The IDPS must prohibit password reuse for the organizationally defined number of generations.
V-34771 Medium The IDPS must provide near real-time alerts when any of the organizationally defined list of compromise or potential compromise indicators occur.
V-34770 Medium The IDPS must be configured to monitor inbound and outbound TCP and UDP packets, dropping traffic using prohibited port numbers.
V-34583 Medium The IDPS must be configured to send an alert to designated personnel in the event the sensor log fails to function.
V-34713 Medium The IDPS must route all management traffic through a dedicated management interface.
V-34486 Medium The IDPS must allow in-band management sessions from authorized IP addresses within the internal trusted network.
V-34463 Medium The IDPS must automatically terminate temporary accounts after an organizationally defined time period for each type of account.
V-34788 Medium The IDPS must generate error messages providing information necessary for corrective actions without revealing organizationally defined sensitive or potentially harmful information in error logs and administrative messages that could be exploited.
V-34782 Medium The IDPS must verify the correct operation of security functions, in accordance with organizationally defined conditions and frequency.
V-34783 Medium The IDPS must respond to security function anomalies in accordance with organizationally defined responses and alternative actions.
V-34780 Medium The IDPS must detect attack attempts to the wireless network.
V-34781 Medium The IDPS must detect rogue wireless devices, attack attempts, and potential compromises or breaches to the wireless network.
V-34786 Medium The IDPS must detect unauthorized changes to software and information.
V-34787 Medium The IDPS must identify and respond to potential security-relevant error conditions.
V-34784 Medium The IDPS must provide notification of failed automated security tests.
V-34719 Medium The IDPS must monitor and enforce filtering of internal addresses posing a threat to external information systems.
V-34764 Medium The IDPS must automatically update malicious code protection mechanisms and rule definitions.
V-34609 Medium The IDPS must enforce a two-person rule for changes to organizationally defined information system components and system-level information.
V-34608 Medium The IDPS must prevent the installation of organizationally defined critical software programs not signed with an organizationally approved private key.
V-34762 Medium The IDPS must be configured to perform organizationally defined actions in response to malicious code detection.
V-34763 Medium The IDPS must address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system.
V-34603 Medium The IDPS must be configured to enable automated mechanisms to enforce access restrictions.
V-34601 Medium The IDPS must enforce access restrictions associated with changes to the system components.
V-34769 Medium The IDPS must monitor inbound and outbound communications for unusual or unauthorized activities or conditions.
V-34605 Medium The IDPS must produce sensor log records containing sufficient information to establish the source of the event.
V-34604 Medium The IDPS must be configured to enable automated mechanisms to support auditing of the enforcement actions.
V-34618 Medium The IDPS must monitor for unauthorized wireless connections on an organizationally defined frequency.
V-34562 Medium The IDPS management console must be logically installed on the management network.
V-34476 Medium The IDPS must be configured to dynamically manage account privileges and associated access authorizations.
V-34706 Medium The IDPS must protect against or limit the effects of Denial of Service (DoS) attacks.
V-34751 Medium The IDPS must implement signatures that detect specific attacks and protocols that should not be seen on the segments containing web servers.
V-34753 Medium The IDPS must employ cryptographic mechanisms to prevent unauthorized disclosure of information at rest unless otherwise protected by alternative physical measures.
V-34757 Medium The IDPS must employ malicious code protection mechanisms to detect and block malicious code at the network perimeter.
V-34613 Medium The IDPS must automatically implement organizationally defined safeguards and countermeasures if security functions or mechanisms are changed inappropriately.
V-34597 Medium The IDPS must support the requirement to centrally manage the events from multiple sensor queues.
V-34616 Medium The IDPS must generate sensor log records for events determined by the organization to be relevant to the security of the network infrastructure.
V-34614 Medium The IDPS must reject or delay network traffic generated above configurable traffic volume thresholds as defined by the organization.
V-34746 Medium The IDPS must generate a unique session identifier for each session.
V-34658 Medium The IDPS must protect the audit records of non-local accesses to privileged accounts and the execution of privileged functions.
V-34615 Medium The IDPS must employ automated mechanisms to centrally manage configuration settings.
V-34683 Medium The IDPS must map the authenticated identity to the user account for PKI-based authentication.
V-34682 Medium The IDPS must enforce authorized access to the corresponding private key for PKI-based authentication.
V-34681 Medium The IDPS must validate certificates used for PKI-based authentication by constructing a certification path with status information to an accepted trust anchor.
V-34680 Medium The IDPS must enforce maximum password lifetime restrictions.
V-34687 Medium The IDPS must employ automated mechanisms to assist in the tracking of security incidents.
V-34685 Medium The IDPS must use NIST-validated FIPS 140-2 cryptography to implement authentication encryption mechanisms.
V-34684 Medium The IDPS must obscure feedback of authentication information during the authentication process to protect the information from possible use by unauthorized individuals.
V-34689 Medium The IDPS must use automated mechanisms to restrict the use of maintenance tools to authorized personnel only.
V-34688 Medium The IDPS must invoke a system shutdown in the event of a log failure, unless an alternative audit capability exists.
V-34568 Medium The IDPS must protect the sensor event log information from unauthorized modification.
V-34569 Medium The IDPS must protect sensor event log information from unauthorized read access.
V-34778 Medium The IDPS must analyze outbound traffic at the external boundary of the network.
V-34624 Medium The IDPS must ensure detected unauthorized security-relevant configuration changes are tracked.
V-34627 Medium The IDPS must employ automated mechanisms to prevent program execution in accordance with organizationally defined specifications.
V-34626 Medium The IDPS must be configured to prohibit or restrict the use of organizationally defined functions, ports, protocols, and/or services.
V-34621 Medium The IDPS must employ automated mechanisms to centrally verify configuration settings.
V-34623 Medium The IDPS must employ automated mechanisms to respond to unauthorized changes to organizationally defined configuration settings.
V-34628 Medium The IDPS must employ automated mechanisms to detect the addition of unauthorized components or devices.
V-34612 Medium The IDPS must limit privileges to change software resident within software libraries, including privileged programs.
V-34748 Medium The IDPS must generate unique session identifiers with organizationally defined randomness requirements.
V-34747 Medium The IDPS must allow only system generated session identifiers.
V-34582 Medium The IDPS must protect audit tools from unauthorized deletion.
V-34745 Medium The IDPS must invalidate session identifiers upon user logout or other session termination.
V-34742 Medium The IDPS must implement detection and inspection mechanisms to identify unauthorized mobile code.
V-34743 Medium The IDPS must take corrective action when unauthorized mobile code is identified.
V-34586 Medium The IDPS must use cryptographic mechanisms to protect the integrity of audit log information.
V-34728 Medium The IDPS must terminate the connection associated with a communications session at the end of the session or after an organizationally defined time period of inactivity.
V-34759 Medium The IDPS must update malicious code protection mechanisms and rules definitions whenever new releases are available in accordance with organizational configuration management policy and procedures.
V-34729 Medium The IDPS must establish a trusted communications path between the user and organizationally defined security functions within the information system.
V-34740 Medium The IDPS must validate the integrity of security attributes exchanged between information systems.
V-34766 Medium The IDPS must only update malicious code protection mechanisms when directed by a privileged user.
V-34691 Medium The IDPS must protect non-local maintenance sessions through the use of multifactor authentication which is tightly bound to the user.
V-34644 Medium The IDPS must authenticate devices before establishing wireless network connections using bidirectional authentication between cryptographically based devices.
V-34697 Medium The IDPS must employ cryptographic mechanisms to protect information in storage.
V-34698 Medium The IDPS must be configured to detect the presence of unauthorized software on organizational information systems.
V-34632 Low The network element must enforce the identification and authentication of all organizational users.
V-34630 Low The IDPS must support organizational requirements to conduct backups of system level information contained in the information system per organizationally defined frequency.
V-34631 Low The IDPS must support organizational requirements to conduct backups of information system documentation, including security related documentation, per organizationally defined frequency that is consistent with recovery time and recovery point objectives.
V-34636 Low The network element must use multifactor authentication for local access to non-privileged accounts.
V-34634 Low The IDPS must use multifactor authentication for local access to privileged accounts.
V-34635 Low The network element must use multifactor authentication for network access to non-privileged accounts.
V-34511 Low The IDPS must display the notification message on the screen until the administrator takes explicit action to acknowledge the message.
V-34639 Low The network element must enforce multifactor authentication for network access to non-privileged accounts where one of the factors is provided by a device separate from the IDPS being accessed.
V-34721 Low The network element must connect to external networks only through managed interfaces consisting of boundary protection devices arranged in accordance with organizational security architecture.
V-34733 Low The network element must produce, control, and distribute asymmetric cryptographic keys using approved PKI Class 3 or Class 4 certificates and hardware security tokens that protect the users private key.
V-34732 Low The network element must produce, control, and distribute asymmetric cryptographic keys using approved PKI Class 3 certificates or prepositioned keying material.
V-34731 Low The network element must produce, control, and distribute symmetric and asymmetric cryptographic keys using NSA-approved key management technology and processes.
V-34730 Low The network element must produce, control, and distribute symmetric cryptographic keys, using NIST-approved key management technology and processes.
V-34737 Low The network element must employ FIPS-validated cryptography to protect information when such information must be separated from individuals who have the necessary clearances yet lack the necessary access approvals.
V-34736 Low The network element must employ NSA-approved cryptography to protect classified information.
V-34566 Low The IDPS must protect audit tools installed on the IDPS components from unauthorized access.
V-34595 Low The IDPS must allocate sensor log record storage capacity.
V-34607 Low The IDPS must produce sensor event log records containing sufficient information to establish when the events occurred.
V-34606 Low The IDPS must produce sensor event log records containing sufficient information to establish where the events occurred.
V-34503 Low The IDPS must implement separation of duties through assigned information system access authorizations.
V-34727 Low The network element must maintain the confidentiality of information during aggregation, packaging, and transformation in preparation for transmission.
V-34560 Low The network element must provide a report generation capability for the audit log.
V-34561 Low The network element must provide the capability to automatically process audit log records for events of interest based upon selectable event criteria.
V-34646 Low The IDPS must enforce a Discretionary Access Control (DAC) policy that limits propagation of access rights.
V-34483 Low The IDPS must implement organizationally defined nondiscretionary access control policies over organizationally defined users and resources.
V-34724 Low The network element must maintain the integrity of information during aggregation and encapsulation in preparation for transmission.
V-34648 Low The network element that collectively provides name/address resolution service for an organization must implement internal/external role separation.
V-34515 Low Upon successful logon, the IDPS must display the date and time of the last logon of the user.
V-34617 Low The IDPS must employ automated mechanisms to centrally apply configuration settings.
V-34649 Low The network element that collectively provides name/address resolution service for an organization must be fault-tolerant.
V-34539 Low The network element must be configured to disable functionality that provides the capability for automatic execution of code on mobile devices without user direction.
V-34532 Low The network element must audit remote sessions for accessing an organizationally defined list of security functions and security-relevant information.
V-34717 Low The network element must deny network traffic by default and allow network traffic by exception at all interfaces at the network perimeter.
V-34711 Low The IDPS must implement host based boundary protection mechanisms.
V-34559 Low Audit log reduction must be enabled on the network element.
V-34558 Low The network element must use automated mechanisms to alert security personnel to an organizationally defined list of inappropriate or unusual activities with security implications.
V-34557 Low The network element must centralize the review and analysis of audit records from multiple network elements within the network.
V-34556 Low The network element must integrate audit review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities.
V-34555 Low The IDPS must be capable of taking organizationally defined actions upon audit failure.
V-34554 Low The IDPS must be configured to send an alert to designated personnel in the event of an audit processing failure.
V-34553 Low The network element must reject or delay network traffic generated above configurable traffic volume thresholds, as defined by the organization.
V-34552 Low The network element must enforce configurable traffic volume thresholds representing audit logging capacity for network traffic to be logged.
V-34551 Low The IDPS must provide a real-time alert when organizationally defined audit failure events occur.
V-34550 Low The network element must provide a warning when the logging storage capacity reaches an organizationally defined percentage of maximum allocated audit record storage capacity.
V-34654 Low The network element must prevent the automatic execution of mobile code in organizationally defined software applications and require organizationally defined actions prior to executing the code.
V-34650 Low The network element must perform data origin authentication and data integrity verification on all resolution responses received whether or not local client systems explicitly request this service.
V-34651 Low The network element must perform data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources when requested by client systems.
V-34592 Low The IDPS must compile audit records from multiple components into a system-wide audit trail that is time-correlated to within organizationally defined level of tolerance for relationship between timestamps of individual records in the audit trail.
V-34520 Low The IDPS must limit the number of concurrent sessions for each account to an organizationally defined number.
V-34700 Low The network element must prevent the presentation of information system management-related functionality at an interface for general (i.e., non-privileged) users.
V-34548 Low The network element allocates audit record storage capacity.
V-34544 Low The IDPS must produce audit log records containing sufficient information to determine if the event was a success or failure.
V-34545 Low The IDPS must capture and log sufficient information to establish the identity of user accounts associated with the audit event.
V-34540 Low The IDPS must produce audit log records that contain sufficient information to establish what type of event occurred.
V-34541 Low The IDPS must produce audit log records containing sufficient information to establish when the events occurred.
V-34542 Low The IDPS must produce audit log records containing sufficient information to establish where the events occurred.
V-34543 Low The IDPS must produce audit log records containing sufficient information to establish the source of the event.
V-34661 Low The network element must implement policy filters that constrain data structure and content to organizationally defined information security policy requirements when transferring information between different security domains.
V-34660 Low The network element must detect unsanctioned information when transferring information between different security domains.
V-34663 Low The network element must identify information flows by data type specification and usage when transferring information between different security domains.
V-34662 Low The network element must decompose information into policy-relevant subcomponents for submission to policy enforcement mechanisms when transferring information between different security domains.
V-34667 Low The network element must disable network access by unauthorized devices and must log the information as a security violation.
V-34666 Low The IDPS must display security attributes in human readable form on each object output from the system to system output devices to identify an organizationally identified set of special dissemination, handling, or distribution instructions using organizationally identified human readable, standard naming conventions.
V-34668 Low The IDPS must activate an organizationally defined alarm when a system component failure is detected.
V-34510 Low The IDPS must display an approved system use notification message (or banner) before granting access to the system.
V-34598 Low The IDPS must capture and log organizationally defined additional information (identified by type, location, or subject) to the records for sensor events.
V-34581 Low The IDPS must be configured to stop generating sensor log records or overwrite the oldest log records when a log failure occurs.
V-34579 Low The IDPS must integrate event review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities.
V-34578 Low The IDPS must protect application audit logs from unauthorized deletion.
V-34571 Low The IDPS must use internal system clocks to generate timestamps for audit records.
V-34570 Low The IDPS must use internal system clocks to generate timestamps for sensor event records.
V-34572 Low The IDPS must synchronize internal system clocks on an organizationally defined frequency with an organizationally defined authoritative time source.
V-34575 Low The IDPS must provide the capability to automatically process sensor log records for events of interest based upon selectable criteria.
V-34574 Low The IDPS must protect application audit event log information from unauthorized read access.
V-34577 Low The IDPS must provide a log reduction capability for the sensor events log.
V-34576 Low The IDPS must protect application audit log information from unauthorized modification.
V-34777 Low The organization must ensure all encrypted traffic is visible to network monitoring tools.
V-34676 Low The IDPS must enforce the number of characters changed when passwords are changed.
V-34674 Low The IDPS must enforce password complexity by the number of numeric characters used.
V-34672 Low The IDPS must enforce password complexity by the number of upper case characters used.
V-34584 Low The network element must produce audit records on hardware-enforced write-once media.
V-34712 Low The network element must isolate organizationally defined key information security tools, mechanisms, and support components from other internal information system components via physically separate subnets.
V-34585 Low The network element must backup system level audit event log records on an organizationally defined frequency onto a different system or media.
V-34462 Low The IDPS must provide automated support for account management functions.
V-34467 Low The IDPS must notify the appropriate individuals when accounts are created.
V-34466 Low The IDPS must automatically audit the creation of accounts.
V-34465 Low The IDPS must automatically disable inactive accounts after an organizationally defined time period of inactivity.
V-34464 Low The IDPS must automatically terminate emergency accounts after an organizationally defined time period.
V-34785 Low The IDPS must provide automated support for the management of distributed security testing.
V-34643 Low The network element must authenticate devices before establishing remote network connections using bidirectional authentication between cryptographically based devices.
V-34549 Low The network element logging function must be configured to reduce the likelihood of audit log record capacity being exceeded.
V-34469 Low The IDPS must notify the appropriate individuals when accounts are modified.
V-34565 Low The IDPS must backup system level and sensor event log records at an organizationally defined frequency onto a different system or media.
V-34718 Low The network element must route organizationally defined internal communications traffic to organizationally defined external networks through authenticated proxy servers within the managed interfaces of boundary protection devices.
V-34765 Low The network element must prevent non-privileged users from circumventing malicious code protection capabilities.
V-34760 Low The network element must employ malicious code protection mechanisms to perform periodic monitoring of the information system on an organizationally defined frequency.
V-34761 Low The network element must be configured to perform real-time monitoring of files from external sources as they are downloaded and prior to being opened or executed.
V-34602 Low The IDPS must produce sensor log records containing sufficient information to determine if the event was a success or failure.
V-34600 Low The IDPS must capture and log sufficient information to establish the identity of any user accounts associated with the sensor log event.
V-34768 Low The network element must interconnect and configure individual intrusion detection tools into a system-wide intrusion detection system using common protocols.
V-34468 Low The IDPS must automatically audit account modification.
V-34619 Low The IDPS must protect against unauthorized physical connections across the boundary protections implemented at an organizationally defined list of managed interfaces.
V-34599 Low The IDPS must generate audit log events for a locally developed list of auditable events.
V-34470 Low The IDPS must automatically audit account disabling actions.
V-34471 Low The IDPS must notify the appropriate individuals when the account has been disabled.
V-34472 Low The IDPS must automatically audit account termination.
V-34473 Low The IDPS must notify the appropriate individuals for account termination.
V-34475 Low The IDPS must monitor for unusual usage of administrative user accounts.
V-34641 Low The network element must use organizationally defined replay-resistant authentication mechanisms for network access to non-privileged accounts.
V-34652 Low The network element must provide the means to indicate the security status of child subspaces and (if the child supports secure resolution services) enable verification of a chain of trust among parent and child domains.
V-34653 Low The network element must provide the means to indicate the security status of child subspaces and (if the child supports secure resolution services) enable verification of a chain of trust among parent and child domains when operating as part of a distribution.
V-34750 Low The IDPS must preserve organizationally defined system state information in the event of a system failure.
V-34752 Low The IDPS must protect the confidentiality and integrity of system information at rest.
V-34755 Low The network element must be configured to automatically check for security updates to the application software on an organizationally defined frequency.
V-34754 Low The network element must protect the integrity of information during the processes of data aggregation, packaging, and transformation in preparation for transmission.
V-34756 Low The network element must be configured to implement automated patch management tools to facilitate flaw remediation to network components.
V-34593 Low The IDPS must produce a system-wide audit trail composed of log records in a standardized format.
V-34611 Low The IDPS must produce sensor event log records that contain sufficient information to establish what type of event occurred.
V-34591 Low The IDPS sensor event logging function must reduce the likelihood of log record capacity being exceeded.
V-34596 Low The IDPS must allow designated organizational personnel to select which auditable events are to be audited by specific components of the system.
V-34594 Low The IDPS must provide audit record generation capability for organizationally defined auditable events occurring within IDPS.
V-34758 Low The network element must employ malicious code protection mechanisms at workstations, servers, or mobile computing devices on the network to detect and eradicate malicious code transported by electronic mail, electronic mail attachments, web accesses, removable media, or other common means or inserted through the exploitation of information system vulnerabilities.
V-34587 Low The IDPS must use cryptography to protect the integrity of audit tools.
V-34686 Low The network element must uniquely identify and authenticate non-organizational users or processes acting on behalf of non-organizational users.
V-34517 Low The IDPS must notify the user of the number of successful login attempts occurring during an organizationally defined time period.
V-34696 Low The network element must use cryptographic mechanisms to protect and restrict access to information on portable digital media.
V-34622 Low The IDPS must enforce a DAC policy that includes or excludes access to the granularity of a single user.
V-34516 Low Upon successful logon, the IDPS must display, to the user, the number of unsuccessful logon attempts since the last successful logon.
V-34514 Low The IDPS must display a DoD approved system use notification message or banner before granting access to the device.
V-34629 Low The network element must support organizational requirements to conduct backups of user level information contained in the device per organizationally defined frequency that is consistent with recovery time and recovery point objectives.
V-34588 Low The IDPS protects against an individual falsely denying having performed a particular action.
V-34589 Low The IDPS must provide a warning when the sensor event logging storage capacity reaches an organizationally defined maximum capacity.
V-34749 Low The IDPS must fail to an organizationally defined known state for organizationally defined types of failures.
V-34546 Low The IDPS must capture and log organizationally defined additional information (identified by type, location, or subject) to the audit records for audit events.
V-34741 Low The IDPS must issue public key certificates under an appropriate certificate policy or obtain public key certificates under an appropriate certificate policy from an approved service provider.
V-34659 Low The network element must prohibit the transfer of unsanctioned information in accordance with the security policy when transferring information between different security domains.
V-34744 Low The IDPS must provide mechanisms to protect the authenticity of communications sessions.
V-34767 Low The network element must not allow users to introduce removable media into the information system.
V-34690 Low The IDPS must log non-local maintenance and diagnostic sessions.
V-34692 Low The network element must protect non-local maintenance sessions by separating the maintenance session from other network sessions with the device, by using either physically separated communications paths, or logically separated communications paths based upon encryption.
V-34694 Low The network element must enforce identification and authentication for the establishment of non-local maintenance and diagnostic sessions.
V-34695 Low The network element must terminate all sessions when non-local maintenance is completed.
V-34547 Low IDPS audit events must be transmitted to the organizations central audit log server.
V-34699 Low The network element must separate user functionality (including user interface services) from information system management functionality.
V-34519 Low The IDPS must notify the user of organizationally defined security related changes to the users account occurring during the organizationally defined time period.
V-34518 Low The IDPS must notify the user of the number of unsuccessful login attempts occurring during organizationally defined time period.
V-34693 Low The network element must employ cryptographic mechanisms to protect the integrity and confidentiality of non-local maintenance and diagnostic communications.
V-34642 Low The IDPS must authenticate an organizationally defined list of specific devices by device type before establishing a connection.