| V-258598 | High | The ICS must be configured to implement cryptographic mechanisms using a FIPS 140-2/3 approved algorithm. | This configuration protects to protect the confidentiality of Web UI session and guards against DoS attacks.
This requires the use of secure protocols instead of their unsecured counterparts,... |
| V-258599 | High | The ICS must be configured to send admin log data to a redundant central log server. | The aggregation of log data kept on a syslog server can be used to detect attacks and trigger an alert to the appropriate security personnel. The stored log data can used to detect weaknesses in... |
| V-258608 | High | The ICS must be configured to terminate after 10 minutes of inactivity except to fulfill documented and validated mission requirements. | Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port... |
| V-258609 | High | The ICS must be configured to use DOD PKI as multifactor authentication (MFA) for interactive logins. | MFA is when two or more factors are used to confirm the identity of an individual who is requesting access to digital information resources. Valid factors include something the individual knows... |
| V-258600 | High | The ICS must be configured to prevent nonprivileged users from executing privileged functions. | Preventing nonprivileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or... |
| V-258613 | High | The ICS must be configured to run an operating system release that is currently supported by Ivanti. | Network devices running an unsupported operating system lack current security fixes required to mitigate the risks associated with recent vulnerabilities. |
| V-258615 | High | The ICS must be configured to transmit only encrypted representations of passwords. | Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily... |
| V-258620 | High | The ICS must be configured to use DOD approved OCSP responders or CRLs to validate certificates used for PKI-based authentication. | Once issued by a DOD certificate authority (CA), public key infrastructure (PKI) certificates are typically valid for three years or shorter within the DOD. However, there are many reasons a... |
| V-258605 | Medium | The ICS must be configured to allocate local audit record storage capacity in accordance with organization-defined audit record storage requirements. | In order to ensure network devices have a sufficient storage capacity in which to write the audit logs, they need to be able to allocate audit record storage capacity. The task of allocating audit... |
| V-258602 | Medium | If SNMP is used, the ICS must be configured to use SNMPv3 with FIPS-140-2/3 validated Keyed-Hash Message Authentication Code (HMAC). | Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Bidirectional authentication provides stronger safeguards to validate... |
| V-258603 | Medium | The ICS must be configured to authenticate Network Time Protocol (NTP) sources using authentication that is cryptographically based. | If Network Time Protocol is not authenticated, an attacker can introduce a rogue NTP server. This rogue server can then be used to send incorrect time information to network devices, which will... |
| V-258606 | Medium | The ICS must be configured to enforce password complexity by requiring that at least one special character be used. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in... |
| V-258607 | Medium | The ICS must be configured with only one local account to be used as the account of last resort in the event the authentication server is unavailable. | Authentication for administrative (privileged level) access to the device is required at all times. An account can be created on the device's local database for use when the authentication server... |
| V-258604 | Medium | The ICS must be configured to record time stamps for audit records that can be mapped to Greenwich Mean Time (GMT). | If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis.
Time stamps generated by the application include date and time.... |
| V-258623 | Medium | The ICS must be configured to display the Standard Mandatory DOD Notice and Consent Banner before granting access to manage the device. | Display of the DOD-approved use notification before granting access to the network device ensures privacy and security notification verbiage used is consistent with applicable federal laws,... |
| V-258624 | Medium | The ICS must be configured to enforce the limit of three consecutive invalid logon attempts, after which time it must block any login attempt for 15 minutes. | By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. |
| V-258625 | Medium | The ICS must be configured to conduct backups of system level information contained in the information system when changes occur. | System-level information includes default and customized settings and security attributes, including ACLs that relate to the network device configuration, as well as software required for the... |
| V-258601 | Medium | The ICS must be configured to audit the execution of privileged functions such as accounts additions and changes. | Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious... |
| V-258611 | Medium | The ICS must be configured to obtain its public key certificates from an appropriate certificate policy through an approved service provider. | For user certificates, each organization obtains certificates from an approved and shared service provider, as required by OMB policy. For federal agencies operating a legacy public key... |
| V-258610 | Medium | The ICS must be configured to synchronize internal information system clocks using redundant authoritative time sources. | The loss of connectivity to a particular authoritative time source will result in the loss of time synchronization (free-run mode) and increasingly inaccurate time stamps on audit events and other... |
| V-258612 | Medium | The ICS must be configured to support organizational requirements to conduct weekly backups of information system documentation, including security-related documentation. | Information system backup is a critical step in maintaining data assurance and availability. Information system and security-related documentation contains information pertaining to system... |
| V-258614 | Medium | The ICS must be configured to enforce a minimum 15-character password length. | Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to... |
| V-258617 | Medium | The ICS must be configured to enforce password complexity by requiring that at least one numeric character be used. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in... |
| V-258616 | Medium | The ICS must be configured to require that when a password is changed, the characters are changed in at least eight of the positions within the password. | If the application allows the user to consecutively reuse extensive portions of passwords, this increases the chances of password compromise by increasing the window of opportunity for attempts at... |
| V-258619 | Medium | The ICS must be configured to enforce password complexity by requiring that at least one uppercase character be used. | Use of a complex passwords helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in... |
| V-258618 | Medium | The ICS must be configured to enforce password complexity by requiring that at least one lowercase character be used. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in... |
| V-258621 | Medium | The ICS must be configured to generate audit records when successful/unsuccessful attempts to access privileges occur. | Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an... |
| V-258622 | Medium | The ICS must be configured to limit the number of concurrent sessions to an organization-defined number for each administrator account and/or administrator account type. | Device management includes the ability to control the number of administrators and management sessions that manage a device. Limiting the number of allowed administrators and sessions per... |
