UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Network Device Management Security Requirements Guide


Overview

Date Finding Count (308)
2013-07-30 CAT I (High): 4 CAT II (Med): 141 CAT III (Low): 163
STIG Description
The Network Device Management Security Requirements Guide (SRG) is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the NIST 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.letterkenny.FSO.mbx.stig-customer-support-mailbox@mail.mil.

Available Profiles



Findings (MAC III - Administrative Public)

Finding ID Severity Title
SRG-NET-000015-NDM-000015 High The network device must enforce the assigned privilege level for each administrator and authorizations for access to all commands relative to the privilege level in accordance with applicable policy for the device.
SRG-NET-000205-NDM-NA High The network device must monitor and control traffic at both the external and internal boundary interfaces.
SRG-NET-000191-NDM-NA High The network device must protect against or limit the effects of denial of service attacks.
SRG-NET-000019-NDM-NA High The network device must enforce approved authorizations for controlling the flow of information between interconnected networks in accordance with applicable policy.
SRG-NET-000203-NDM-NA Medium The network device must route organizationally defined internal communications traffic destined for organizationally defined external networks through authenticated application network devices (application proxy servers) at managed interfaces.
SRG-NET-000163-NDM-000120 Medium The network device must enforce maximum password lifetime restrictions.
SRG-NET-000214-NDM-000157 Medium The network device must establish a trusted communications path between the user and organizationally defined security functions within the information system.
SRG-NET-000131-NDM-NA Medium The network device must not have unnecessary services and functions enabled.
SRG-NET-000014-NDM-000014 Medium The network device must be configured to dynamically manage administrative privileges and associated command authorizations.
SRG-NET-000220-NDM-NA Medium The network device must employ FIPS-validated cryptography to protect unclassified information.
SRG-NET-000021-NDM-000020 Medium The network device must implement role-based management to allow authorized administrators to enable/disable organizationally defined security policy filters.
SRG-NET-000049-NDM-000032 Medium Upon successful login, the network device must notify the user of the number of unsuccessful login attempts since the last successful login.
SRG-NET-000160-NDM-000117 Medium The network device must enforce password encryption for storage.
SRG-NET-000134-NDM-000098 Medium The network device must employ automated mechanisms to detect the addition of unauthorized components or devices.
SRG-NET-000263-NDM-NA Medium The network device must analyze outbound traffic at the external boundary of the network.
SRG-NET-000211-NDM-000154 Medium The network device must employ cryptographic mechanisms to prevent unauthorized disclosure of information during transmission, unless otherwise protected by alternative physical measures.
SRG-NET-000264-NDM-NA Medium The network device must analyze outbound communications traffic at selected interior points within the network as deemed necessary to discover anomalies.
SRG-NET-000177-NDM-000136 Medium The network device must enforce identification and authentication for the establishment of non-local maintenance and diagnostic sessions.
SRG-NET-000033-NDM-NA Medium The network device must enforce information flow control using organization defined security policy filters as a basis for flow control decisions.
SRG-NET-000152-NDM-000109 Medium The network device must dynamically manage identifiers, attributes, and associated access authorizations.
SRG-NET-000031-NDM-NA Medium The network device must enforce organizationally defined limitations on the embedding of data types within other data types.
SRG-NET-000190-NDM-000147 Medium The network device must prevent unauthorized and unintended information transfer via shared system resources.
SRG-NET-000164-NDM-000121 Medium The network device must validate certificates used for PKI-based authentication by constructing a certification path with status information to an accepted trust anchor.
SRG-NET-000250-NDM-NA Medium The network device must address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system.
SRG-NET-000072-NDM-NA Medium The network device must enforce requirements for the connection of mobile devices to organizational information systems.
SRG-NET-000199-NDM-000149 Medium The network device must prevent discovery of specific network components or devices comprising a managed interface.
SRG-NET-000227-NDM-000168 Medium The network device must obtain public key certificates from an appropriate certificate policy through an approved service provider.
SRG-NET-000231-NDM-000170 Medium The network device must invalidate session identifiers upon user logout or other session termination.
SRG-NET-000027-NDM-NA Medium The network device must uniquely authenticate destination domains for information transfer.
SRG-NET-000189-NDM-000146 Medium The network device must implement security functions as a layered structure minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers.
SRG-NET-000181-NDM-000140 Medium The network device must be configured to detect the presence of unauthorized software on organizational information systems.
SRG-NET-000175-NDM-000134 Medium The network device must protect non-local maintenance sessions by separating the maintenance session from other network sessions with the device, by using either physically separated communications paths, or logically separated communications paths based upon encryption.
SRG-NET-000213-NDM-000156 Medium The network device must terminate the connection associated with a communications session at the end of the session or after an organizationally defined time period of inactivity.
SRG-NET-000063-NDM-000043 Medium The network device must use approved cryptography to protect the integrity of remote access sessions.
SRG-NET-000023-NDM-NA Medium The network device must enforce security policies regarding information on interconnected systems.
SRG-NET-000146-NDM-000106 Medium The network device must use organizationally defined replay-resistant authentication mechanisms for network access to privileged accounts.
SRG-NET-000192-NDM-NA Medium The network device must restrict the ability of individuals to launch denial of service attacks against other information systems or networks.
SRG-NET-000267-NDM-000179 Medium The network device must verify the correct operation of security functions, in accordance with organizationally identified conditions and frequency.
SRG-NET-000119-NDM-000077 Medium The network device must use automated mechanisms to enforce access restrictions.
SRG-NET-000210-NDM-000153 Medium The network device must protect the confidentiality of transmitted information.
SRG-NET-000194-NDM-NA Medium The network device must limit the use of resources by priority.
SRG-NET-000265-NDM-NA Medium The network device must detect attack attempts to the wireless network.
SRG-NET-000287-NDM-000190 Medium The network device must support organizational requirements to disable the user identifiers after an organizationally defined time period of inactivity.
SRG-NET-000124-NDM-000082 Medium The network device must automatically implement organizationally defined safeguards and countermeasures if security functions or mechanisms are changed inappropriately.
SRG-NET-000016-NDM-000016 Medium The network device must enforce dual authorization based on organizational policies and procedures for organization defined privileged commands.
SRG-NET-000133-NDM-000097 Medium The network device must employ automated mechanisms to prevent program execution in accordance with organizationally defined specifications.
SRG-NET-000195-NDM-NA Medium The network device must check inbound traffic to ensure the communications are coming from an authorized source and routed to an authorized destination.
SRG-NET-000129-NDM-NA Medium The network device must ensure detected unauthorized security-relevant configuration changes are tracked.
SRG-NET-000162-NDM-000119 Medium The network device must enforce minimum password lifetime restrictions.
SRG-NET-000143-NDM-000104 Medium The network device must support the organizational requirement to ensure individuals are authenticated with an individual authenticator prior to using a group authenticator.
SRG-NET-000060-NDM-NA Medium The network device must allow the association of security attributes with information by authorized system administrators.
SRG-NET-000125-NDM-NA Medium The network device must employ automated mechanisms to centrally manage configuration settings.
SRG-NET-000178-NDM-000137 Medium The network device must terminate all sessions when non-local maintenance is completed.
SRG-NET-000279-NDM-000188 Medium The network device must prevent access to organizationally defined security-relevant information except during secure, non-operable system states.
SRG-NET-000156-NDM-000113 Medium The network device must enforce password complexity by the number of lowercase characters used.
SRG-NET-000070-NDM-NA Medium The network device must protect wireless access to the network using encryption.
SRG-NET-000139-NDM-000102 Medium The network device must use multifactor authentication for network access to privileged accounts.
SRG-NET-000059-NDM-NA Medium The network device must maintain the binding of security attributes to information with sufficient assurance that the information to attribute association can be used as the basis for automated policy actions.
SRG-NET-000020-NDM-000019 Medium The network device must enforce information flow control using explicit security attributes on information, source, and destination objects as a basis for flow control decisions.
SRG-NET-000002-NDM-000002 Medium The network device must automatically terminate temporary accounts after an organization defined time period for each type of account.
SRG-NET-000022-NDM-000021 Medium The network device must provide the capability for a privileged administrator to configure the organizationally defined security policy filters to support different security policies.
SRG-NET-000061-NDM-000041 Medium The network device must employ automated mechanisms to monitor and control remote access methods.
SRG-NET-000151-NDM-NA Medium The network device must authenticate devices before establishing network connections using bidirectional authentication between cryptography-based devices.
SRG-NET-000174-NDM-000133 Medium The network device must protect non-local maintenance sessions through the use of multifactor authentication which is tightly bound to the user.
SRG-NET-000144-NDM-000105 Medium The network device must enforce multifactor authentication for network access to privileged accounts where one of the factors is provided by a device separate from the network device being accessed.
SRG-NET-000150-NDM-NA Medium The network device must authenticate devices before establishing wireless network connections using bidirectional authentication between cryptography-based devices.
SRG-NET-000251-NDM-NA Medium The network device must automatically update malicious code protection mechanisms and rule definitions.
SRG-NET-000257-NDM-NA Medium The network device must provide near real-time alerts when any of the organizationally defined list of compromise or potential compromise indicators occur.
SRG-NET-000037-NDM-000024 Medium The network device must be configured to automatically disable the device if any of the organization defined list of security violations are detected.
SRG-NET-000025-NDM-NA Medium The network device must uniquely authenticate source domains for information transfer.
SRG-NET-000028-NDM-NA Medium The network device must implement security policies for all traffic flows by using security zones at various protection levels as a basis for flow control decisions.
SRG-NET-000249-NDM-NA Medium The network device must be configured to perform organizationally defined actions in response to malicious code detection.
SRG-NET-000268-NDM-000180 Medium The network device must respond to security function anomalies in accordance with organizationally defined responses and alternative actions.
SRG-NET-000176-NDM-000135 Medium The network device must employ cryptographic mechanisms to protect the integrity and confidentiality of non-local maintenance and diagnostic communications.
SRG-NET-000280-NDM-NA Medium The network device must enforce information flow control based on organizationally defined metadata.
SRG-NET-000166-NDM-000123 Medium The network device must map the authenticated identity to the user account for PKI-based authentication.
SRG-NET-000032-NDM-NA Medium The network device must enforce organization defined one-way traffic flows using hardware mechanisms.
SRG-NET-000259-NDM-NA Medium The network device must notify an organizationally defined list of incident response personnel of suspicious events.
SRG-NET-000069-NDM-NA Medium The network device must protect wireless access to the network using authentication.
SRG-NET-000058-NDM-000040 Medium The network device must allow the change of security attributes by authorized administrators.
SRG-NET-000170-NDM-000129 Medium The network device must employ automated mechanisms to assist in the tracking of security incidents.
SRG-NET-000200-NDM-NA Medium The network device must enforce strict adherence to protocol format.
SRG-NET-000261-NDM-NA Medium The network device must protect information obtained from intrusion monitoring tools from unauthorized access, modification, and deletion.
SRG-NET-000201-NDM-NA Medium The network device must prevent access into the organization's internal networks except as explicitly permitted and controlled by employing boundary protection devices.
SRG-NET-000106-NDM-000071 Medium The network device must use cryptographic mechanisms to protect the integrity of audit log information.
SRG-NET-000064-NDM-000044 Medium The network device must route all remote access traffic through managed access control points.
SRG-NET-000024-NDM-NA Medium The network device must uniquely identify source domains for information transfer.
SRG-NET-000273-NDM-000185 Medium The network device must generate error messages providing information necessary for corrective actions without revealing organizationally defined sensitive or potentially harmful information in error logs and administrative messages that could be exploited.
SRG-NET-000187-NDM-000145 Medium The network device must implement an isolation boundary to minimize the number of non-security functions included within the boundary containing security functions.
SRG-NET-000158-NDM-000115 Medium The network device must enforce password complexity by the number of special characters used.
SRG-NET-000308-NDM-000193 Medium The network device must employ FIPS-validated or NSA-approved cryptography to implement digital signatures.
SRG-NET-000057-NDM-NA Medium The network device must dynamically reconfigure security attributes in accordance with an identified security policy as information is created and combined.
SRG-NET-000030-NDM-NA Medium All encrypted traffic must be decrypted prior to passing through content inspection and filtering mechanisms.
SRG-NET-000260-NDM-NA Medium The network device must take an organizationally defined list of least-disruptive actions to terminate suspicious events.
SRG-NET-000239-NDM-000177 Medium The network device must employ cryptographic mechanisms to prevent unauthorized disclosure of information at rest.
SRG-NET-000228-NDM-NA Medium The network device must implement detection and inspection mechanisms to identify unauthorized mobile code.
SRG-NET-000026-NDM-NA Medium The network device must uniquely identify destination domains for information transfer.
SRG-NET-000219-NDM-000160 Medium The network device must employ cryptographic protections using cryptographic modules complying with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
SRG-NET-000208-NDM-000151 Medium The network device must use cryptographic mechanisms to detect changes to information during transmission, unless otherwise protected by alternative physical measures.
SRG-NET-000127-NDM-NA Medium The network device must employ automated mechanisms to centrally verify configuration settings.
SRG-NET-000207-NDM-000150 Medium The network device must protect the integrity of transmitted information.
SRG-NET-000071-NDM-NA Medium The network device must monitor for unauthorized connections of mobile devices to information systems.
SRG-NET-000286-NDM-000189 Medium The network device must protect the audit records of non-local accesses to privileged accounts and the execution of privileged functions.
SRG-NET-000118-NDM-000076 Medium The network device must enforce access restrictions associated with changes to the system components.
SRG-NET-000269-NDM-000181 Medium The network device must provide notification of failed automated security tests.
SRG-NET-000244-NDM-NA Medium The network device must employ malicious code protection mechanisms to detect and block malicious code at the network perimeter.
SRG-NET-000246-NDM-NA Medium The network device must update malicious code protection mechanisms and signature definitions whenever new releases are available in accordance with organizational configuration management policy and procedures.
SRG-NET-000065-NDM-000045 Medium The network device must monitor for unauthorized remote connections to specific information systems on an organizationally defined frequency.
SRG-NET-000288-NDM-NA Medium The network device must prevent the download of prohibited mobile code.
SRG-NET-000289-NDM-NA Medium The network device must prevent the execution of prohibited mobile code.
SRG-NET-000103-NDM-NA Medium The network device must protect audit tools from unauthorized deletion.
SRG-NET-000168-NDM-000125 Medium The network device must use NIST-validated FIPS 140-2 cryptography to implement authentication encryption mechanisms.
SRG-NET-000229-NDM-NA Medium The network device must take corrective action when unauthorized mobile code is identified.
SRG-NET-000165-NDM-000122 Medium The network device must enforce authorized access to the corresponding private key for PKI-based authentication.
SRG-NET-000266-NDM-NA Medium The network device must detect rogue wireless devices, attack attempts, and potential compromises or breaches to the wireless network.
SRG-NET-000186-NDM-000144 Medium The network device must isolate security functions used to enforce access and information flow control from both non-security functions and other security functions.
SRG-NET-000040-NDM-000027 Medium The network device must automatically lock an account after the maximum number of unsuccessful login attempts are exceeded and remain locked for an organizationally defined time period or until released by an administrator.
SRG-NET-000038-NDM-000025 Medium The network device must enforce the organizationally defined maximum number of consecutive invalid login attempts.
SRG-NET-000141-NDM-000103 Medium The network device must use multifactor authentication for local access to privileged accounts.
SRG-NET-000123-NDM-000081 Medium The network device must limit privileges to change software resident within software libraries, including privileged programs.
SRG-NET-000029-NDM-NA Medium The network must enforce dynamic traffic flow control based on policy allowing or disallowing flows based upon traffic types and rates within or out of profile.
SRG-NET-000272-NDM-000184 Medium The network device must identify and respond to potential security-relevant error conditions.
SRG-NET-000154-NDM-000111 Medium The network device must prohibit password reuse for the organizationally defined number of generations.
SRG-NET-000039-NDM-000026 Medium The network device must enforce the organizationally defined time period over which the number of invalid login attempts are counted.
SRG-NET-000035-NDM-NA Medium The network device must audit the use of privileged accounts when accessing configuration and operational commands enabled for non-privileged accounts.
SRG-NET-000198-NDM-000148 Medium The network device must route all management traffic through a dedicated management interface for purposes of access control and auditing.
SRG-NET-000204-NDM-NA Medium The network device must monitor and enforce filtering of internal addresses posing a threat to external information systems.
SRG-NET-000167-NDM-000124 Medium The network device must obscure feedback of authentication information during the authentication process to protect the information from possible use by unauthorized individuals.
SRG-NET-000172-NDM-000131 Medium The network device must use automated mechanisms to restrict the use of maintenance tools to authorized personnel only.
SRG-NET-000226-NDM-NA Medium The network device must validate the integrity of security attributes exchanged between information systems.
SRG-NET-000193-NDM-NA Medium The network device must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial of service attacks.
SRG-NET-000128-NDM-NA Medium The network device must employ automated mechanisms to respond to unauthorized changes to organizationally defined configuration settings.
SRG-NET-000225-NDM-NA Medium The network device must associate security attributes with information exchanged between information systems.
SRG-NET-000271-NDM-000183 Medium The network device must detect unauthorized changes to software and information.
SRG-NET-000224-NDM-NA Medium The network device must protect the integrity and availability of publicly available information and applications.
SRG-NET-000197-NDM-NA Medium The network device must isolate organizationally defined key information security tools, mechanisms, and support components from other internal information system components via physically separate subnets with managed interfaces to other portions of the network.
SRG-NET-000062-NDM-000042 Medium The network device must use approved cryptography to protect the confidentiality of remote access sessions.
SRG-NET-000258-NDM-NA Medium The network device must prevent non-privileged users from circumventing intrusion detection and prevention capabilities.
SRG-NET-000132-NDM-000083 Medium The network device must prohibit or restrict network traffic in accordance with organizationally defined requirements for nonsecure ports, protocols, and/or services.
SRG-NET-000153-NDM-000110 Medium The network device must enforce minimum password length.
SRG-NET-000161-NDM-000118 Medium The network device must enforce password encryption for transmission.
SRG-NET-000256-NDM-NA Medium The network device must monitor inbound and outbound communications for unusual or unauthorized activities or conditions.
SRG-NET-000253-NDM-NA Medium The network device must only update malicious code protection mechanisms when directed by a privileged user.
SRG-NET-000122-NDM-000080 Medium The network device must enforce a two-person rule for changes to organizationally defined information system components and system-level information.
SRG-NET-000120-NDM-000078 Medium The network device must use automated mechanisms to support auditing of the enforcement actions.
SRG-NET-000001-NDM-000001 Low The network device must provide automated support for account management functions.
SRG-NET-000212-NDM-000155 Low The network device must maintain the confidentiality of information during aggregation, packaging, and transformation in preparation for transmission.
SRG-NET-000114-NDM-000074 Low The network device must allow designated organizational personnel to select which auditable events are to be audited by specific components of the system.
SRG-NET-000221-NDM-NA Low The network device must employ NSA-approved cryptography to protect classified information.
SRG-NET-000138-NDM-000101 Low The network device must enforce the identification and authentication of all organizational users.
SRG-NET-000305-NDM-NA Low The network device that collectively provides name/address resolution service for an organization must implement internal/external role separation.
SRG-NET-000222-NDM-NA Low The network device must employ FIPS-validated cryptography to protect information when such information must be separated from individuals who have the necessary clearances yet lack the necessary access approvals.
SRG-NET-000048-NDM-000031 Low Upon successful login, the network device must notify the user of the date and time of the last login.
SRG-NET-000094-NDM-NA Low The network device must provide a report generation capability for the audit log.
SRG-NET-000309-NDM-NA Low The network device must protect against unauthorized physical connections across the boundary protections implemented at an organizationally defined list of managed interfaces.
SRG-NET-000132-NDM-000093 Low The network device must prohibit or restrict System Log (SYSLOG) UDP Port 514 traffic in accordance with organizationally defined requirements for nonsecure ports, protocols, and/or services.
SRG-NET-000107-NDM-NA Low The network device must use cryptography to protect the integrity of audit tools.
SRG-NET-000132-NDM-000091 Low The network device must prohibit or restrict Simple Network Management Protocol Trap (SNMPTRAP) UDP Port 162 traffic in accordance with organizationally defined requirements for nonsecure ports, protocols, and/or services.
SRG-NET-000051-NDM-000034 Low The network device must notify the user of the number of unsuccessful login attempts occurring during an organizationally defined time period.
SRG-NET-000132-NDM-000094 Low The network device must prohibit or restrict TELNET Protocol over TLS/SSL (TELNETS) TCP Port 992 traffic in accordance with organizationally defined requirements for nonsecure ports, protocols, and/or services.
SRG-NET-000245-NDM-NA Low The network device must employ malicious code protection mechanisms at workstations, servers, or mobile computing devices on the network to detect and eradicate malicious code transported by electronic mail, electronic mail attachments, web accesses, removable media, or other common means; or inserted through the exploitation of information system vulnerabilities.
SRG-NET-000148-NDM-000107 Low The network device must authenticate an organizationally defined list of specific devices by device type before establishing a connection.
SRG-NET-000090-NDM-NA Low The network device must integrate audit review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities.
SRG-NET-000262-NDM-NA Low The network device must ensure all encrypted traffic is visible to network monitoring tools.
SRG-NET-000135-NDM-NA Low The network device must support organizational requirements to conduct backups of user-level information contained in the device per organizationally defined frequency that is consistent with recovery time and recovery point objectives.
SRG-NET-000085-NDM-000059 Low The network device must provide a real-time alert when organizationally defined audit failure events occur.
SRG-NET-000036-NDM-000023 Low The network device must provide finer-grained allocation of account privileges through the use of separate processing domains.
SRG-NET-000110-NDM-NA Low The network device must compile audit records from multiple components into a system-wide audit trail that is time-correlated to within an organizationally defined level of tolerance for the relationship between timestamps of individual records in the audit trail.
SRG-NET-000248-NDM-NA Low The network device must be configured to perform real-time monitoring of files from external sources as they are downloaded and prior to being opened or executed.
SRG-NET-000218-NDM-NA Low The network device must produce, control, and distribute asymmetric cryptographic keys using approved PKI Class 3 or Class 4 certificates and hardware security tokens that protect the user's private key.
SRG-NET-000080-NDM-000054 Low The network device must capture and log organizationally defined additional information (identified by type, location, or subject) to the audit records for audit events.
SRG-NET-000215-NDM-000158 Low The network device must produce, control, and distribute symmetric cryptographic keys, using NIST-approved key management technology and processes.
SRG-NET-000104-NDM-NA Low The network device must produce audit records on hardware-enforced write-once media.
SRG-NET-000254-NDM-NA Low The network device must not allow users to introduce removable media into the information system.
SRG-NET-000157-NDM-000114 Low The network device must enforce password complexity by the number of numeric characters used.
SRG-NET-000004-NDM-000004 Low The network device must automatically disable inactive accounts after an organization defined time period of inactivity.
SRG-NET-000074-NDM-000048 Low The network device must produce audit log records containing sufficient information to establish what type of event occurred.
SRG-NET-000093-NDM-000064 Low The network device must have audit log reduction enabled.
SRG-NET-000099-NDM-000068 Low The network device must protect audit log information from unauthorized modification.
SRG-NET-000053-NDM-000036 Low The network device must limit the number of concurrent sessions for each account to an organizationally defined number.
SRG-NET-000115-NDM-000075 Low The network device must generate audit log events for a locally developed list of auditable events.
SRG-NET-000147-NDM-NA Low The network device must use organizationally defined replay-resistant authentication mechanisms for network access to non-privileged accounts.
SRG-NET-000306-NDM-000191 Low The network device must enforce a Discretionary Access Control (DAC) policy that limits propagation of access rights.
SRG-NET-000101-NDM-NA Low The network device must protect audit tools from unauthorized access.
SRG-NET-000132-NDM-000095 Low The network device must prohibit or restrict Trivial File Transfer Protocol (TFTP) UDP Port 69 traffic in accordance with organizationally defined requirements for nonsecure ports, protocols, and/or services.
SRG-NET-000098-NDM-000067 Low The network device must protect audit log information from unauthorized read access.
SRG-NET-000105-NDM-000070 Low The network device must backup system level audit event log records on an organizationally defined frequency onto a different system or media.
SRG-NET-000076-NDM-000050 Low The network device must produce audit log records containing sufficient information to establish where events occurred.
SRG-NET-000243-NDM-NA Low The network device must be configured to implement automated patch management tools to facilitate flaw remediation to network components.
SRG-NET-000066-NDM-000046 Low The network device must audit remote sessions for accessing an organizationally defined list of security functions and security-relevant information.
SRG-NET-000145-NDM-NA Low The network device must enforce multifactor authentication for network access to non-privileged accounts where one of the factors is provided by a device separate from the network device being accessed.
SRG-NET-000043-NDM-000030 Low The network device must display a DoD-approved system use notification message (or banner) before granting access to the device.
SRG-NET-000079-NDM-000053 Low The network device must capture and log sufficient information to establish the identity of user accounts associated with audit events.
SRG-NET-000169-NDM-NA Low The network device must uniquely identify and authenticate non-organizational users or processes acting on behalf of non-organizational users.
SRG-NET-000278-NDM-000187 Low The network device must display security attributes on each object output from the system to system output devices to identify an organizationally identified set of special dissemination, handling, or distribution instructions using organizationally identified human readable, standard naming conventions.
SRG-NET-000132-NDM-000084 Low The network device must prohibit or restrict File Transfer Protocol (FTP) TCP Ports 20 and 21 traffic in accordance with organizationally defined requirements for nonsecure ports, protocols, and/or services.
SRG-NET-000300-NDM-NA Low The network device must provide the means to indicate the security status of child subspaces and (if the child supports secure resolution services) enable verification of a chain of trust among parent and child domains when operating as part of a distribution.
SRG-NET-000042-NDM-000029 Low The network device must display the notification message on the screen until the administrator takes explicit action to acknowledge the message.
SRG-NET-000206-NDM-NA Low The network device must connect to external networks only through managed interfaces consisting of boundary protection devices arranged in accordance with organizational security architecture.
SRG-NET-000092-NDM-000063 Low The network device must use automated mechanisms to alert security personnel to an organizationally defined list of inappropriate or unusual activities with security implications.
SRG-NET-000050-NDM-000033 Low The network device must notify the user of the number of successful login attempts occurring during an organizationally defined time period.
SRG-NET-000112-NDM-NA Low The network device must produce a system-wide audit trail composed of log records in a standardized format.
SRG-NET-000121-NDM-000079 Low The network device must prevent the installation of organizationally defined critical software programs not signed with an organizationally approved private key.
SRG-NET-000087-NDM-NA Low The network device must reject or delay network traffic generated above configurable traffic volume thresholds, as defined by the organization.
SRG-NET-000182-NDM-000141 Low The network device must separate user functionality (including user interface services) from information system management functionality.
SRG-NET-000132-NDM-000092 Low The network device must prohibit or restrict Secure Shell (SSH) TCP Port 22 traffic in accordance with organizationally defined requirements for nonsecure ports, protocols, and/or services.
SRG-NET-000149-NDM-000108 Low The network device must authenticate devices before establishing remote network connections using bidirectional authentication between cryptography-based devices.
SRG-NET-000232-NDM-000171 Low The network device must generate a unique session identifier for each session.
SRG-NET-000137-NDM-000100 Low The network device must support organizational requirements to conduct backups of information system documentation, including security-related documentation, per an organizationally defined frequency that is consistent with recovery time and recovery point objectives.
SRG-NET-000230-NDM-000169 Low The network device must provide mechanisms to protect the authenticity of communications sessions.
SRG-NET-000132-NDM-000090 Low The network device must prohibit or restrict Simple Network Management Protocol (SNMP) UDP Port 161 traffic in accordance with organizationally defined requirements for nonsecure ports, protocols, and/or services.
SRG-NET-000088-NDM-000060 Low The network device must be configured to send an alert to designated personnel in the event of an audit processing failure.
SRG-NET-000100-NDM-000069 Low The network device must protect audit logs from unauthorized deletion.
SRG-NET-000132-NDM-000096 Low The network device must prohibit or restrict Terminal Access Controller Access Control System Plus (TACACS+) TCP Port 49 traffic in accordance with organizationally defined requirements for nonsecure ports, protocols, and/or services.
SRG-NET-000217-NDM-NA Low The network device must produce, control, and distribute asymmetric cryptographic keys using approved PKI Class 3 certificates or prepositioned keying material.
SRG-NET-000113-NDM-000073 Low The network device must provide audit record generation capability for organizationally defined auditable events occurring within the network device.
SRG-NET-000277-NDM-NA Low The network device must disable network access by unauthorized devices and must log the information as a security violation.
SRG-NET-000168-NDM-000126 Low The network device must use NIST-validated FIPS 140-2 cryptography to implement SSH authentication encryption mechanisms.
SRG-NET-000159-NDM-000116 Low The network device must enforce the number of characters changed when passwords are changed.
SRG-NET-000005-NDM-000005 Low The network device must automatically audit the creation of accounts.
SRG-NET-000283-NDM-NA Low The network device must implement policy filters that constrain data structure and content to organizationally defined information security policy requirements when transferring information between different security domains.
SRG-NET-000056-NDM-000039 Low The network device must support and maintain the binding of organizationally defined security attributes to information in transmission.
SRG-NET-000236-NDM-000175 Low The network device must preserve organizationally defined system state information in the event of a system failure.
SRG-NET-000126-NDM-NA Low The network device must employ automated mechanisms to centrally apply configuration settings.
SRG-NET-000096-NDM-000065 Low The network device must use internal system clocks to generate timestamps for audit records.
SRG-NET-000011-NDM-000011 Low The network device must automatically audit account termination.
SRG-NET-000216-NDM-000159 Low The network device must produce, control, and distribute symmetric and asymmetric cryptographic keys using NSA-approved key management technology and processes.
SRG-NET-000237-NDM-NA Low The network device must include components that proactively seek to identify web based malicious code.
SRG-NET-000010-NDM-000010 Low The network device must notify the appropriate individuals when account-disabling actions are taken.
SRG-NET-000055-NDM-000038 Low The network device must support and maintain the binding of organizationally defined security attributes to information in process.
SRG-NET-000270-NDM-000182 Low The network device must provide automated support for the management of distributed security testing.
SRG-NET-000132-NDM-000089 Low The network device must prohibit or restrict SSH File Transfer Protocol (SFTP) TCP Port 22 traffic in accordance with organizationally defined requirements for nonsecure ports, protocols, and/or services.
SRG-NET-000302-NDM-NA Low The network device must perform data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources when requested by client systems.
SRG-NET-000018-NDM-000018 Low The network device must enforce approved authorizations for controlling the flow of information within the network in accordance with applicable policy.
SRG-NET-000242-NDM-NA Low The network device must be configured to automatically check for security updates to the application software on an organizationally defined frequency.
SRG-NET-000082-NDM-000056 Low The network device must allocate audit record storage capacity.
SRG-NET-000241-NDM-000178 Low The network device must protect the integrity of information during the processes of data aggregation, packaging, and transformation in preparation for transmission.
SRG-NET-000081-NDM-000055 Low The network device must transmit audit events to the organization's central audit log server.
SRG-NET-000007-NDM-000007 Low The network device must automatically audit account modification.
SRG-NET-000102-NDM-NA Low The network device must protect audit tools from unauthorized modification.
SRG-NET-000219-NDM-000162 Low The network device must employ cryptographic protections using cryptographic modules for TFTP complying with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
SRG-NET-000219-NDM-000164 Low The network device must employ cryptographic protections using cryptographic modules NTP complying with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
SRG-NET-000219-NDM-000165 Low The network device must employ cryptographic protections using cryptographic modules for SYSLOG complying with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
SRG-NET-000219-NDM-000166 Low The network device must employ cryptographic protections using cryptographic modules for SNMP complying with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
SRG-NET-000091-NDM-000062 Low The network device must centralize the review and analysis of audit records from multiple network devices within the network.
SRG-NET-000086-NDM-NA Low The network device must enforce configurable traffic volume thresholds representing audit logging capacity for network traffic to be logged.
SRG-NET-000304-NDM-NA Low The network device that collectively provides name/address resolution service for an organization must be fault tolerant.
SRG-NET-000142-NDM-NA Low The network device must use multifactor authentication for local access to non-privileged accounts.
SRG-NET-000054-NDM-000037 Low The network device must support and maintain the binding of organizationally defined security attributes to information in storage.
SRG-NET-000095-NDM-NA Low The network device must provide the capability to automatically process audit log records for events of interest based upon selectable event criteria.
SRG-NET-000136-NDM-000099 Low The network device must support organizational requirements to conduct backups of system level information contained in the information system per organizationally defined frequency.
SRG-NET-000073-NDM-NA Low The network device must be configured to disable functionality that provides the capability for automatic execution of code on mobile devices without user direction.
SRG-NET-000183-NDM-000142 Low The network device must prevent the presentation of information system management-related functionality at an interface for general (i.e., non-privileged) users.
SRG-NET-000013-NDM-000013 Low The network device must monitor for irregular usage of administrative user accounts.
SRG-NET-000077-NDM-000051 Low The network device must produce audit log records containing sufficient information to establish the source of events.
SRG-NET-000219-NDM-000163 Low The network device must employ cryptographic protections using cryptographic modules for SSH complying with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
SRG-NET-000132-NDM-000087 Low The network device must prohibit or restrict Network Time Protocol (NTP) UDP Port 123 traffic in accordance with organizationally defined requirements for nonsecure ports, protocols, and/or services.
SRG-NET-000012-NDM-000012 Low The network device must notify the appropriate individuals for account termination.
SRG-NET-000017-NDM-000017 Low The network device must implement nondiscretionary access control policies over an organization defined set of users and resources.
SRG-NET-000196-NDM-NA Low The network device must implement host-based boundary protection mechanisms.
SRG-NET-000084-NDM-000058 Low The network device must provide a warning when the logging storage capacity reaches an organizationally defined percentage of maximum allocated audit record storage capacity.
SRG-NET-000068-NDM-000047 Low The network device must enforce requirements for remote connections to the network.
SRG-NET-000168-NDM-000128 Low The network device must use NIST-validated FIPS 140-2 cryptography to implement NTP authentication encryption mechanisms.
SRG-NET-000089-NDM-000061 Low The network device must be capable of taking organizationally defined actions upon audit failure.
SRG-NET-000168-NDM-000127 Low The network device must use NIST-validated FIPS 140-2 cryptography to implement SNMP authentication encryption mechanisms.
SRG-NET-000219-NDM-000167 Low The network device must employ cryptographic protections using cryptographic modules for TELNET complying with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
SRG-NET-000219-NDM-000161 Low The network device must employ cryptographic protections using cryptographic modules for FTP complying with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
SRG-NET-000008-NDM-000008 Low The network device must notify the appropriate individuals when accounts are modified.
SRG-NET-000307-NDM-000192 Low The network device must enforce a Discretionary Access Control (DAC) policy that includes or excludes access to the granularity of a single user.
SRG-NET-000234-NDM-000173 Low The network device must generate unique session identifiers with organizationally defined randomness requirements.
SRG-NET-000083-NDM-000057 Low The network device logging function must be configured to reduce the likelihood of audit log record capacity being exceeded.
SRG-NET-000252-NDM-NA Low The network device must prevent non-privileged users from circumventing malicious code protection capabilities.
SRG-NET-000184-NDM-000143 Low The network device must isolate security functions from non-security functions.
SRG-NET-000075-NDM-000049 Low The network device must produce audit log records containing sufficient information to establish when events occurred.
SRG-NET-000003-NDM-000003 Low The network device must automatically terminate emergency accounts after an organization defined time period.
SRG-NET-000155-NDM-000112 Low The network device must enforce password complexity by the number of uppercase characters used.
SRG-NET-000108-NDM-000072 Low The network device must protect against an individual falsely denying having performed a particular action.
SRG-NET-000247-NDM-NA Low The network device must employ malicious code protection mechanisms to perform periodic monitoring of the information system on an organizationally defined frequency.
SRG-NET-000041-NDM-000028 Low The network device must display an approved system use notification message (or banner) before granting access to the system.
SRG-NET-000290-NDM-NA Low The network device must prevent the automatic execution of mobile code in organizationally defined software applications and require organizationally defined actions prior to executing the code.
SRG-NET-000202-NDM-NA Low The network device must deny network traffic by default and allow network traffic by exception at all interfaces at the network perimeter.
SRG-NET-000180-NDM-000139 Low The network device must employ cryptographic mechanisms to protect information in storage.
SRG-NET-000097-NDM-000066 Low The network device must synchronize internal system clocks on an organizationally defined frequency with an organizationally defined authoritative time source.
SRG-NET-000132-NDM-000088 Low The network device must prohibit or restrict Remote Authentication Dial In User Service (RADIUS) UDP Ports 1812 and 1813 traffic in accordance with organizationally defined requirements for nonsecure ports, protocols, and/or services.
SRG-NET-000009-NDM-000009 Low The network device must automatically audit account disabling actions.
SRG-NET-000274-NDM-000186 Low The network device must activate an organizationally defined alarm when a system component failure is detected.
SRG-NET-000284-NDM-NA Low The network device must detect unsanctioned information when transferring information between different security domains.
SRG-NET-000255-NDM-NA Low The network device must interconnect and configure individual intrusion detection tools into a system-wide intrusion detection system using common protocols.
SRG-NET-000238-NDM-000176 Low The network device must protect the confidentiality and integrity of system information at rest.
SRG-NET-000078-NDM-000052 Low The network device must produce audit log records containing sufficient information to determine if an event was a success or failure.
SRG-NET-000233-NDM-000172 Low The network device must allow only system-generated session identifiers.
SRG-NET-000173-NDM-000132 Low The network device must log non-local maintenance and diagnostic sessions.
SRG-NET-000171-NDM-000130 Low The network device must invoke a system shutdown in the event of a log failure, unless an alternative audit capability exists.
SRG-NET-000209-NDM-000152 Low The network device must maintain the integrity of information during aggregation and encapsulation in preparation for transmission.
SRG-NET-000052-NDM-000035 Low The network device must notify the user of organizationally defined security related changes to the user's account occurring during the organizationally defined time period.
SRG-NET-000067-NDM-NA Low The network device must disable the use of organizationally defined networking protocols deemed nonsecure, except for explicitly identified components in support of specific operational requirements.
SRG-NET-000132-NDM-000085 Low The network device must prohibit or restrict File Transfer Protocol over Secure Sockets Layer/Transport Layer Security (FTPS) TCP Ports 20 and 21, and TCP Ports 989 and 990 traffic in accordance with organizationally defined requirements for nonsecure ports, protocols, and/or services.
SRG-NET-000301-NDM-NA Low The network device must provide the means to indicate the security status of child subspaces and (if the child supports secure resolution services) enable verification of a chain of trust among parent and child domains.
SRG-NET-000303-NDM-NA Low The network device must perform data origin authentication and data integrity verification on all resolution responses received whether or not local client systems explicitly request this service.
SRG-NET-000235-NDM-000174 Low The network device must fail to an organizationally defined known state for organizationally defined types of failures.
SRG-NET-000034-NDM-000022 Low The network device must implement separation of duties through assigned information system access authorizations.
SRG-NET-000140-NDM-NA Low The network device must use multifactor authentication for network access to non-privileged accounts.
SRG-NET-000132-NDM-000086 Low The network device must prohibit or restrict Hypertext Transfer Protocol (HTTP) TCP Ports 80, 591, 8008, and 8080 traffic in accordance with organizationally defined requirements for nonsecure ports, protocols, and/or services.
SRG-NET-000006-NDM-000006 Low The network device must notify the appropriate individuals when accounts are created.
SRG-NET-000281-NDM-NA Low The network device must identify information flows by data type specification and usage when transferring information between different security domains.
SRG-NET-000282-NDM-NA Low The network device must decompose information into policy-relevant subcomponents for submission to policy enforcement mechanisms when transferring information between different security domains.
SRG-NET-000179-NDM-000138 Low The network device must use cryptographic mechanisms to protect and restrict access to information on portable digital media.
SRG-NET-000285-NDM-NA Low The network device must prohibit the transfer of unsanctioned information in accordance with the security policy when transferring information between different security domains.