| V-6706 | High | The network attached KVM switch is attached to a network that is not at the same classification level as the ISs attached. | If a network attached KVM switch is attached to a network of a different classification level than the ISs attached to the KVM switch, this will lead to a compromise of sensitive data either on... |
| V-6708 | High | The KVM switch is not configured to require the user to login to the KVM switch to access the ISs attached. | Without identification and authentication of the user accessing the network attached KVM switch anyone can access the ISs attached and if they have knowledge of a valid userid and password for the... |
| V-6717 | High | A network attached KVM switch is attached to ISs of different classification levels. | Because of the problems inherent in the spanning of networks of different classification levels, network attached KVM switches will not be attached to ISs of different classification levels. This... |
| V-6677 | High | The KVM switch is not physically protected in accordance with the requirements of the highest classification for any IS connected to the KVM switch. | IF the KVM switch is not physically protected in accordance with the requirements of the highest classification for any IS connected to the KVM switch, the KVM switch can be tampered with leading... |
| V-6714 | High | The KVM switch is configured to encapsulate and send USB connections other than KVM connections. | Some network attached KVM switched can encapsulate USB connections other than the keyboard, video monitor, and mouse connections. This connection could be a disk drive connection and could allow... |
| V-6713 | High | The KVM switch is not configured to use encrypted communications with FIPS 140-1/2 validated cryptography. | Because all administrative traffic contains sensitive data such as unencrypted passwords, it will be encrypted to protect it from interception. The KVM switch will be configured to require... |
| V-6710 | High | Group or shared userids are being used on a network attached KVM switch. | Usage of group or shared userids makes it impossible to attribute an action to the originating user. In the case of a malicious action this could make prosecution impossible.
The IAO will ensure... |
| V-6709 | High | The KVM switch is not configured to require DOD compliant password. | Strong passwords are harder to guess or discover via brut force making the system more secure from malicious tampering.
The IAO will ensure that the KVM switch is configured to require DOD... |
| V-6687 | High | The KVM switch has the ability to support a RAS connection, this feature is not disabled or the connectors on the KVM switch supporting this feature are not blocked with a tamper resistant seal. | KVM switches that support Dialup Remote Access (RAS) do not support a robust identification and authorization process or robust auditing. This feature will not be used. The tamper resistant... |
| V-6702 | High | A KVM switch is being used to switch a peripheral other than a keyboard, video or mouse in an environment where the KVM switch is attached to ISs of different classification levels.. | Since the other peripheral devices could contain persistent memory and allow data to become compromised by moving it between ISs of differing classification levels this would create an... |
| V-6703 | High | Peripherals other than a keyboard, video, or mouse are attached to a KVM switch that is attached to ISs of different classification levels. | It will be assumed that any peripheral other than a keyboard, video monitor, or mouse attached to a KVM switch is intended to be used regardless of the current configuration of the KVM switch. ... |
| V-6705 | High | A network attached KVM switch used to administer ISs is not attached to an “out-of-band” network. | If a network attached KVM switch is attached to an out-of-band network there is less opportunity for a malicious user to compromise the interface and create a denial of service by issuing... |
| V-6720 | High | The A/B switch is not physically protected in accordance with the requirements of the highest classification of any IS connected to the A/B switch. | If the A/B switch is not located in an area that has the same physical security as required by the IS of the highest clearance level this can lead to a compromise of sensitive data.
The IAO or SA... |
| V-6707 | High | The network-facing component of a network attached KVM switch is not compliant with the current Network Infrastructure STIG. | If the network facing components of a network attached KVM switch are not in compliance with the Network Infrastructure STIG the KVM switch could expose the network to vulnerabilities that could... |
| V-6762 | High | The An A/B switch is used to switch a peripheral device that has persistent memory or devices that support removable media between two or more ISs of different classification levels. | If the peripheral device attached to an A/B switch, which is connected to ISs of differing classification levels, can be written to and read from this can lead to the compromise of sensitive or... |
| V-6763 | High | Input or output devices including, but not limited to, scanners, printers or plotters are attached to an A/B switches that spans classification levels. | Input devices attached to A/B switches that are in turn attached to ISs of different classification levels could input data to the wrong IS compromising sensitive or classified data and/or the IS... |
| V-6757 | Medium | An A/B switch is used to share a peripheral device between two or more users. | When using a KVM switch to switch a peripheral between two or more users the risk always exists where the peripheral is connected to the wrong IS. An example would be a scanner where the user... |
| V-6759 | Medium | KVMs and A/B switches connecting information systems of differing classification levels must be on the NIAP Products Compliance List. | An A/B switch not found on the Approved KVM and A/B Switch lists has not been tested to verify that it does not leak data between systems. This can lead to the compromise of sensitive data or the... |
| V-6678 | Medium | Smart (intelligent or programmable) keyboard is used in conjunction with a KVM switch when the KVM switch is connected to ISs of different classification and/or sensitivity. | In an environment where the KVM switch is connected to ISs of different classification and/or sensitivity levels, a smart (intelligent or programmable) keyboard can transfer sensitive data from... |
| V-6679 | Medium | A wireless keyboard or mouse that is not in compliance with the current Wireless STIG is attached to a KVM switch. | Signals from a wireless devices can be intercepted and decoded whick can lead to the compromise of sensitive data.
The IAO or SA will ensure that wireless keyboards or mice attached to KVM... |
| V-6715 | Medium | Unused USB ports on the KVM switch are not blocked with tamper resistant on a KVM switch that can encapsulate and send the USB protocol over the network to the client. | By blocking the unused USB ports on the network attached KVM switch that can encapsulate USB over IP with tamper resistant seals we will have an indication if someone has attached an unauthorized... |
| V-6681 | Medium | The KVM switch has configurable features, but the configuration is not protected from modification with a DOD compliant password. | If the KVM switch is configurable, some feature that are available such as auto toggling between attached ISs are not permitted. If the configuration is not protected by a password it can be... |
| V-6683 | Medium | A “hot key” feature is enabled other than the menu feature that allows the user to select the IS to be used from the displayed menu. | There are many "hot key" features that could be used. Since each vender has a different set of features and it is impractical to review all features for all vender for potential vulnerabilities,... |
| V-6682 | Medium | The KVM switch has the feature for automatically toggling between ISs and it is not disabled. | The feature that automatically toggles between connected ISs or active ISs can cause a screen to be automatically displayed that contains sensitive information. This can lead to the compromise of... |
| V-6686 | Medium | The KVM switch is not configured to force the change of the configuration password every 90 days or that there is no policy and procedure in place to change the configuration password every 90 days. | The longer time between password changes the greater the chance that the password will become compromised. A compromised password can allow a malicious user to change the configuration of the KVM... |
| V-6716 | Medium | A network attached KVM switch is configured to control the power supplied to the ISs attached to the KVM switch or the connectors on the KVM switch that support this feature are not blocked with tamper resistant seals. | If a network attached KVM switch can control the power to the ISs attached to it and the KVM switch is compromised, a denial of service can be caused by powering off all the ISs attached to the... |
| V-6701 | Medium | Tamper resistant seals are not attached to the KVM switch and all IS cables at their attachment points where the KVM switch is attached to ISs of different classification levels. | Tamper resistant seals are tape designed to break if tampered with. They are used to indicate that a cabinet has been opened or a cable removed, moved or added. For KVM switches attached to ISs... |
| V-6704 | Medium | A KVM switch, which is attached to ISs of different classification levels, has connectors for additional peripherals other than the keyboard, video, or mouse that are not blocked with tamper resistant seals. | It will be assumed that KVM switches that can switch peripherals other than the keyboard, video monitor, and mouse, that are attached to ISs of differing classification levels, and that do not... |
| V-6760 | Medium | Tamper resistant seals are not attached to the A/B switch and all IS cables at their attachment points for A/B switches attached to devices or ISs that have different classification levels. | Without the presences of tamper resistance seals the A/B switch or its connections can be tampered with and the tampering will go undetected. This can lead to the compromise of sensitive data or... |
| V-6699 | Medium | KVM or A/B switches must be approved prior to being connected to ISs that are at different classification levels. | Only KVM switches that have been tested and verified to prevent the transfer of data from one IS to another will be used when the ISs connected to the switch are of differing classification... |
| V-6719 | Low | There is no user documentation describing the correct usage and users responsibilities for an A/B switch. | The Security Features Users Guide (SFUG) gives the users a single source to find security policy and guidance as to the users responsibility for security. The general policies and user... |
| V-6718 | Low | There are no user agreements documenting the use of A/B switches. | A signed users agreement is proof that the user has been informed of his security responsibilities when using an A/B switch.
The IAO will maintain written user agreements for all users authorized... |
| V-6675 | Low | Written user agreements for all users authorized to use the KVM or A/B switch are not being maintained.. | A written users agreement allows the IAO to be certain the end user that will be using the equipment has been presented with the documentation that explains their duties and responsibilities in... |
| V-6676 | Low | A SFUG, or an equivalent document, that describes the correct uses of the switch and the users responsibilities, is not being maintained and distributed. | The SFUG or an equivalent document describes the users security responsibilities including any site-specific requirements. This gives the user a single reference source for both initial... |
| V-6712 | Low | The network attached KVM switch does not display an Electronic Notice and Consent Banner complaint with requirements of CJSCM 6510.01. | The warning banner notifies the user that they are accessing a DOD system and that they consent to having their actions monitored. Without this banner it is difficult to prosecute individuals who... |
| V-6711 | Low | The network attached KVM switch is not configured to restrict users access only to the systems they require. | Users accessing ISs that they do not access to can lead to the compromise of sensitive data.
The IAO will ensure that the KVM switch is configured to restrict users access only to the systems they require. |
| V-6680 | Low | The desktop background of information systems attached to a KVM switch must be labeled with the proper classification banners. | Without the banners to identify the information system the KVM switch is currently active on, the user could enter a command to the wrong information system and create a denial of service or the... |
| V-6685 | Low | A written description of the KVM switch, the ISs attached to the KVM switch, and the classification level of each IS attached to the KVM switch is not maintained. | Without a written description of the KVM switch, the ISs attached to the KVM switch, and the classification level of each IS attached to the KVM switch, tampering with the KVM switch by adding or... |
| V-6684 | Low | A machine-readable or a paper-document backup is not maintained for the configuration of the KVM switch. | Without a backup of the KVM switch's configuration, you can have a denial of service if the configuration cannot be restored quickly in the advent that it is lost or a faulty switch needs to be... |
| V-6758 | Low | The A/B switch is not marked in accordance with the Sharing Peripherals Across the Network STIG. | Failure to correctly mark switch positions and cable connections can lead to teh A/B switch connecting the wrong device to the wrong system for the current intended use. This can lead to a denial... |
| V-6700 | Low | A KVM switch is cascaded while being attached to ISs of different classification levels. | Cascading KVM switches, connecting one switch to another switch, can make it difficult to determine which system is current connected to the keyboard, video and mouse by simple observation. In... |
| V-6761 | Low | A/B switches, that are connected to devices or ISs which are at different classification levels, are cascaded. | When A/B switches are cascaded it is difficult to verify that the currently selected connection is the correct selection. When A/B switches are used with ISs of differing classification levels... |
| V-6698 | Low | Written permission from the DAA responsible for each IS attached to a KVM switch that is attached to ISs of different classification levels is not being maintained. | The DAA responsible for a IS attached to a KVM switch that has other ISs attached of differing classifications levels must approve of the use of the KVM switch. The DAA is the only individual... |
