UCF STIG Viewer Logo

ISEC7 EMM Suite v6.x Security Technical Implementation Guide


Overview

Date Finding Count (34)
2019-09-05 CAT I (High): 1 CAT II (Med): 32 CAT III (Low): 1
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC II - Mission Support Classified)

Finding ID Severity Title
V-97249 High ISEC7 EMM Suite must disable or delete local account created during application installation and configuration.
V-97391 Medium The ISEC7 EMM Suite server must be configured to have at least one user in the following Administrator roles: Security Administrator, Site Administrator, Help Desk User.
V-97297 Medium A manager role must be assigned to the Apache Tomcat Web apps (Manager, Host-Manager).
V-97295 Medium The ISEC7 EMM Suite must remove any unnecessaryusers or groups that have permissions to the server.xml file in Apache Tomcat.
V-97293 Medium The Apache Tomcat shutdown port must be disabled.
V-97291 Medium Stack tracing must be disabled in Apache Tomcat.
V-97299 Medium SSL must be enabled on Apache Tomcat.
V-97409 Medium The ISEC7 EMM Suite must protect the confidentiality and integrity of transmitted information during preparation for transmission and during reception using cryptographic mechanisms.
V-97389 Medium The ISEC7 EMM Suite must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the ISEC7 EMM Suite.
V-97385 Medium The ISEC7 EMM Suite must initiate a session lock after a 15-minute period of inactivity.
V-97263 Medium The ISEC7 EMM Suite must configure the timeout for the console to be 15 minutes or less.
V-97387 Medium The ISEC7 EMM Suite must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination using remote access.
V-97401 Medium The ISEC7 EMM Suite must allow the use of DoD PKI established certificate authorities for verification of the establishment of protected sessions.
V-97407 Medium The ISEC7 EMM Suite must back up audit records at least every seven days onto a different system or system component than the system or component being audited, provide centralized management and configuration of the content to be captured in audit records generated by all ISEC7 EMM Suite components, and off-load audit records onto a different system or media than the system being audited.
V-97265 Medium The ISEC7 EMM Suite, Tomcat installation, and ISEC7 Suite monitor must be configured to use the Windows Trust Store for the storage of digital certificates and keys.
V-97301 Medium Tomcat SSL must be restricted except for ISEC7 EMM Suite tasks.
V-97303 Medium The ISEC7 EMM Suite must limit the number of concurrent sessions to an organization-defined number for all accounts and/or account types.
V-97275 Medium The Apache Tomcat Manager Web app password must be cryptographically hashed with a DoD approved algorithm.
V-97287 Medium The ISEC7 EMM Suite must configure Enable HTTPS to use HTTP over SSL in Apache Tomcat.
V-97281 Medium The LockOutRealm must be configured with a login failure count of 3.
V-97283 Medium The LockOutRealm must be configured with a login lockout time of 15 minutes.
V-97289 Medium The version number of Apache Tomcat must be removed from the CATALINA_HOME/lib/catalina.jar file.
V-97261 Medium The ISEC7 EMM Suite must be configured to leverage the enterprise directory service accounts and groups for ISEC7 EMM Suite server admin identification and authentication.
V-97399 Medium Before establishing a local, remote, and/or network connection with any endpoint device, the ISEC7 EMM Suite must use a bidirectional authentication mechanism configured with a FIPS-validated Advanced Encryption Standard (AES) cipher block algorithm to authenticate with the device.
V-97279 Medium LockOutRealm must not be removed from Apache Tomcat.
V-97403 Medium The ISEC7 EMM Suite must use FIPS-validated SHA-2 or higher hash function for digital signature generation and verification (non-legacy use).
V-97415 Medium The Manager Web app password must be configured as follows: -15 or more characters -at least one lower case letter -at least one upper case letter -at least one number -at least one special character
V-97393 Medium The ISEC7 EMM Suite must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.
V-97277 Medium All Web applications included with Apache Tomcat that are not required must be removed.
V-97405 Medium The ISEC7 EMM Suite must use a FIPS 140-2-validated cryptographic module to implement encryption services for unclassified information requiring confidentiality, generate cryptographic hashes, and to configure web management tools with FIPS-validated Advanced Encryption Standard (AES) cipher block algorithm to protect the confidentiality of maintenance and diagnostic communications for nonlocal maintenance sessions.
V-97411 Medium If cipher suites using pre-shared keys are used for device authentication, the ISEC7 EMM Suite must have a minimum security strength of 112 bits or higher, must only be used in networks where both the client and server are Government systems, must prohibit client negotiation to TLS 1.1, TLS 1.0, SSL 2.0, or SSL 3.0 and must prohibit or restrict the use of protocols that transmit unencrypted authentication information or use flawed cryptographic algorithm for transmission.
V-97413 Medium The ISEC7 EMM Suite must use a FIPS-validated cryptographic module to provision digital signatures.
V-97395 Medium When using PKI-based authentication for user access, the ISEC7 EMM Suite must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.
V-97397 Low The ISEC7 EMM Suite must accept Personal Identity Verification (PIV) credentials.