UCF STIG Viewer Logo

ISEC7 Sphere Security Technical Implementation Guide


Overview

Date Finding Count (35)
2020-09-04 CAT I (High): 2 CAT II (Med): 32 CAT III (Low): 1
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC I - Mission Critical Sensitive)

Finding ID Severity Title
V-225096 High The ISEC7 Sphere server must be maintained at a supported version.
V-224767 High ISEC7 EMM Suite must disable or delete local account created during application installation and configuration.
V-224793 Medium Tomcat SSL must be restricted except for ISEC7 EMM Suite tasks.
V-224792 Medium SSL must be enabled on Apache Tomcat.
V-224791 Medium A manager role must be assigned to the Apache Tomcat Web apps (Manager, Host-Manager).
V-224790 Medium The ISEC7 EMM Suite must remove any unnecessaryusers or groups that have permissions to the server.xml file in Apache Tomcat.
V-224771 Medium The ISEC7 EMM Suite must allow the use of DoD PKI established certificate authorities for verification of the establishment of protected sessions.
V-224770 Medium Before establishing a local, remote, and/or network connection with any endpoint device, the ISEC7 EMM Suite must use a bidirectional authentication mechanism configured with a FIPS-validated Advanced Encryption Standard (AES) cipher block algorithm to authenticate with the device.
V-224773 Medium The ISEC7 EMM Suite must be configured to leverage the enterprise directory service accounts and groups for ISEC7 EMM Suite server admin identification and authentication.
V-224772 Medium The ISEC7 EMM Suite must protect the confidentiality and integrity of transmitted information during preparation for transmission and during reception using cryptographic mechanisms.
V-224775 Medium The ISEC7 EMM Suite, Tomcat installation, and ISEC7 Suite monitor must be configured to use the Windows Trust Store for the storage of digital certificates and keys.
V-224774 Medium The ISEC7 EMM Suite must configure the timeout for the console to be 15 minutes or less.
V-224777 Medium The ISEC7 EMM Suite must use FIPS-validated SHA-2 or higher hash function for digital signature generation and verification (non-legacy use).
V-224776 Medium If cipher suites using pre-shared keys are used for device authentication, the ISEC7 EMM Suite must have a minimum security strength of 112 bits or higher, must only be used in networks where both the client and server are Government systems, must prohibit client negotiation to TLS 1.1, TLS 1.0, SSL 2.0, or SSL 3.0 and must prohibit or restrict the use of protocols that transmit unencrypted authentication information or use flawed cryptographic algorithm for transmission.
V-224779 Medium The ISEC7 EMM Suite must use a FIPS 140-2-validated cryptographic module to implement encryption services for unclassified information requiring confidentiality, generate cryptographic hashes, and to configure web management tools with FIPS-validated Advanced Encryption Standard (AES) cipher block algorithm to protect the confidentiality of maintenance and diagnostic communications for nonlocal maintenance sessions.
V-224778 Medium The ISEC7 EMM Suite must use a FIPS-validated cryptographic module to provision digital signatures.
V-224788 Medium Stack tracing must be disabled in Apache Tomcat.
V-224789 Medium The Apache Tomcat shutdown port must be disabled.
V-224784 Medium The LockOutRealm must be configured with a login lockout time of 15 minutes.
V-224785 Medium The Manager Web app password must be configured as follows: -15 or more characters -at least one lower case letter -at least one upper case letter -at least one number -at least one special character
V-224786 Medium The ISEC7 EMM Suite must configure Enable HTTPS to use HTTP over SSL in Apache Tomcat.
V-224787 Medium The version number of Apache Tomcat must be removed from the CATALINA_HOME/lib/catalina.jar file.
V-224780 Medium The Apache Tomcat Manager Web app password must be cryptographically hashed with a DoD approved algorithm.
V-224781 Medium All Web applications included with Apache Tomcat that are not required must be removed.
V-224782 Medium LockOutRealm must not be removed from Apache Tomcat.
V-224783 Medium The LockOutRealm must be configured with a login failure count of 3.
V-224768 Medium When using PKI-based authentication for user access, the ISEC7 EMM Suite must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.
V-224766 Medium The ISEC7 EMM Suite must back up audit records at least every seven days onto a different system or system component than the system or component being audited, provide centralized management and configuration of the content to be captured in audit records generated by all ISEC7 EMM Suite components, and off-load audit records onto a different system or media than the system being audited.
V-224764 Medium The ISEC7 EMM Suite server must be configured to have at least one user in the following Administrator roles: Security Administrator, Site Administrator, Help Desk User.
V-224765 Medium The ISEC7 EMM Suite must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.
V-224762 Medium The ISEC7 EMM Suite must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination using remote access.
V-224763 Medium The ISEC7 EMM Suite must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the ISEC7 EMM Suite.
V-224760 Medium The ISEC7 EMM Suite must limit the number of concurrent sessions to an organization-defined number for all accounts and/or account types.
V-224761 Medium The ISEC7 EMM Suite must initiate a session lock after a 15-minute period of inactivity.
V-224769 Low The ISEC7 EMM Suite must accept Personal Identity Verification (PIV) credentials.