| V-246940 | High | ONTAP must be configured to use an authentication server to provide multifactor authentication. | Centralized management of authentication settings increases the security of remote and nonlocal access methods. This control is particularly important protection against the insider threat. With... |
| V-246946 | High | ONTAP must be configured to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services. | In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must... |
| V-246964 | High | ONTAP must be configured to send log data to a central log server. | The aggregation of log data kept on a syslog server can be used to detect attacks and trigger an alert to the appropriate security personnel. The stored log data can used to detect weaknesses in... |
| V-246962 | High | ONTAP must allow only authorized administrators to view or change the device configuration, system files, and other files stored either in the device or on removable media (such as a flash drive). | This requirement is intended to address the confidentiality and integrity of system information at rest (e.g., network device rule sets) when it is located on a storage device within the network... |
| V-246927 | High | ONTAP must enforce administrator privileges based on their defined roles. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems must be properly configured to incorporate... |
| V-246959 | High | ONTAP must terminate all network connections associated with a device management session at the end of the session, or the session must be terminated after 10 minutes of inactivity except to fulfill documented and validated mission requirements. | Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port... |
| V-246958 | High | ONTAP must be configured to implement cryptographic mechanisms using FIPS 140-2. | Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be... |
| V-246930 | High | ONTAP must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. | Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or... |
| V-246942 | Medium | ONTAP must enforce organization-defined role-based access control policies over defined subjects and objects. | Organizations can create specific roles based on job functions and the authorizations (i.e., privileges) to perform needed operations on organizational information systems associated with the... |
| V-246943 | Medium | ONTAP must generate log records for a locally developed list of auditable events. | Auditing and logging are key components of any security architecture. Logging the actions of specific events provides a means to investigate an attack; to recognize resource utilization or... |
| V-246941 | Medium | ONTAP must be configured to enforce organization-defined mandatory access control policies over all subjects and objects. | Mandatory access control policies constrain what actions subjects can take with information obtained from data objects for which they have already been granted access, thus preventing the subjects... |
| V-246947 | Medium | ONTAP must be configured to authenticate each administrator prior to authorizing privileges based on assignment of group or role. | To assure individual accountability and prevent unauthorized access, administrators must be individually identified and authenticated.
Individual accountability mandates that each administrator... |
| V-246944 | Medium | ONTAP must be configured to conduct backups of system level information. | System-level information includes default and customized settings and security attributes, including ACLs that relate to the network device configuration, as well as software required for the... |
| V-246945 | Medium | ONTAP must obtain its public key certificates from an appropriate certificate policy through an approved service provider. | For user certificates, each organization obtains certificates from an approved, shared service provider, as required by OMB policy. For federal agencies operating a legacy public key... |
| V-246948 | Medium | ONTAP must implement replay-resistant authentication mechanisms for network access to privileges accounts. | A replay attack may enable an unauthorized user to gain access to the application. Authentication sessions between the authenticator and the application validating the user credentials must not be... |
| V-246949 | Medium | ONTAP must be configured to authenticate SNMP messages using FIPS-validated Keyed-HMAC. | Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Bidirectional authentication provides stronger safeguards to validate... |
| V-246960 | Medium | ONTAP must recognize only system-generated session identifiers. | Network device management web interfaces utilize sessions and session identifiers to control management interface behavior and administrator access. If an attacker can guess the session identifier... |
| V-246961 | Medium | ONTAP must generate unique session identifiers using a FIPS 140-2-approved random number generator. | Sequentially generated session IDs can be easily guessed by an attacker. Employing the concept of randomness in the generation of unique session identifiers helps to protect against brute-force... |
| V-246963 | Medium | ONTAP must be configured to protect against known types of denial-of-service (DoS) attacks by employing organization-defined security safeguards. | DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity.
This... |
| V-246922 | Medium | ONTAP must be configured to limit the number of concurrent sessions. | Device management includes the ability to control the number of administrators and management sessions that manage a device. Limiting the number of allowed administrators and sessions per... |
| V-246923 | Medium | ONTAP must be configured to create a session lock after 15 minutes. | A session lock is a temporary network device or administrator-initiated action taken when the administrator stops work but does not log out of the network device. Rather than relying on the user... |
| V-246924 | Medium | ONTAP must terminate shared/group account credentials when members leave the group. | A shared/group account credential is a shared form of authentication that allows multiple individuals to access the network device using a single account. If shared/group account credentials are... |
| V-246925 | Medium | ONTAP must automatically audit account-enabling actions. | Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to... |
| V-246926 | Medium | ONTAP must be configured with only one local account to be used as the account of last resort in the event the authentication server is unavailable. | Authentication for administrative (privileged-level) access to the device is required at all times. An account can be created on the device's local database for use when the authentication server... |
| V-246928 | Medium | ONTAP must enforce organization-defined DAC policies. | Discretionary Access Control (DAC) is based on the notion that individual network administrators are "owners" of objects and therefore have discretion over who should be authorized to access the... |
| V-246929 | Medium | ONTAP must enforce approved authorizations for controlling the flow of management information. | A mechanism to detect and prevent unauthorized communication flow must be configured or provided as part of the system design. If management information flow is not enforced based on approved... |
| V-246955 | Medium | ONTAP must enforce password complexity by requiring that at least one special character be used. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in... |
| V-246954 | Medium | ONTAP must enforce password complexity by requiring that at least one numeric character be used. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in... |
| V-246957 | Medium | ONTAP must prohibit the use of cached authenticators. | Some authentication implementations can be configured to use cached authenticators.
If cached authentication information is out-of-date, the validity of the authentication information may be... |
| V-246956 | Medium | ONTAP must require that when a password is changed, the characters are changed in at least eight of the positions within the password. | If the application allows the user to consecutively reuse extensive portions of passwords, this increases the chances of password compromise by increasing the window of opportunity for attempts at... |
| V-246951 | Medium | ONTAP must enforce a minimum 15-character password length. | Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to... |
| V-246950 | Medium | ONTAP must authenticate NTP sources using authentication that is cryptographically based. | If Network Time Protocol (NTP) is not authenticated, an attacker can introduce a rogue NTP server. This rogue server can then be used to send incorrect time information to network devices, which... |
| V-246953 | Medium | ONTAP must enforce password complexity by requiring that at least one lowercase character be used. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in... |
| V-246952 | Medium | ONTAP must enforce password complexity by requiring that at least one uppercase character be used. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in... |
| V-246933 | Medium | ONTAP must allocate audit record storage capacity in accordance with organization-defined audit record storage requirements. | In order to ensure network devices have a sufficient storage capacity in which to write the audit logs, they need to be able to allocate audit record storage capacity. The task of allocating audit... |
| V-246932 | Medium | ONTAP must be configured to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the device. | Display of the DoD-approved use notification before granting access to the network device ensures privacy and security notification verbiage used is consistent with applicable federal laws,... |
| V-246931 | Medium | ONTAP must be configured to enforce the limit of three consecutive invalid logon attempts, after which time it must block any login attempt for 15 minutes. | By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. |
| V-246937 | Medium | ONTAP must use internal system clocks to generate time stamps for audit records. | In order to determine what is happening within the network infrastructure or to resolve and trace an attack, the network device must support the organization's capability to correlate the audit... |
| V-246936 | Medium | ONTAP must be configured to synchronize internal information system clocks using redundant authoritative time sources. | The loss of connectivity to a particular authoritative time source will result in the loss of time synchronization (free-run mode) and increasingly inaccurate time stamps on audit events and other... |
| V-246935 | Medium | ONTAP must generate an immediate real-time alert of all audit failure events requiring real-time alerts. | It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of an... |
| V-246934 | Medium | ONTAP must off-load audit records onto a different system or media. | Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
Off-loading is a common process in information systems with limited audit storage capacity. |
| V-246939 | Medium | ONTAP must enforce access restrictions associated with changes to the device configuration. | Failure to provide logical access restrictions associated with changes to device configuration may have significant effects on the overall security of the system.
When dealing with access... |
| V-246938 | Medium | ONTAP must record time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT). | If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis.
Time stamps generated by the application include date and time.... |
