The network device must prevent access to organizationally defined security-relevant information except during secure, non-operable system states.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-NET-000279-NDM-000188	SRG-NET-000279-NDM-000188	SRG-NET-000279-NDM-000188_rule		Medium

Description
Security relevant information is any information within the information system that can potentially impact the operation of security functions in a manner that could result in failure to enforce the system security policy or maintain isolation of code and data. Organizations may define specific security relevant information that requires protection. Examples include: network device ACLs or policy filters, cryptographic key management information, key configuration parameters for security services, and access control lists. Secure, non-operable system states are states in which the network device is not performing mission or business-related processing (e.g., the system is off-line for maintenance, troubleshooting, boot-up, shutdown). Access to these types of data is to be prevented unless the system is in a maintenance mode or has otherwise been brought off-line. The goal is to minimize the potential that a security configuration or data may be dynamically and perhaps maliciously overwritten or changed without going through a formal system change process that can document the changes.

Description

Security relevant information is any information within the information system that can potentially impact the operation of security functions in a manner that could result in failure to enforce the system security policy or maintain isolation of code and data. Organizations may define specific security relevant information that requires protection. Examples include: network device ACLs or policy filters, cryptographic key management information, key configuration parameters for security services, and access control lists. Secure, non-operable system states are states in which the network device is not performing mission or business-related processing (e.g., the system is off-line for maintenance, troubleshooting, boot-up, shutdown). Access to these types of data is to be prevented unless the system is in a maintenance mode or has otherwise been brought off-line. The goal is to minimize the potential that a security configuration or data may be dynamically and perhaps maliciously overwritten or changed without going through a formal system change process that can document the changes.

STIG	Date
Network Device Management Security Requirements Guide	2013-07-30

Details

Check Text ( C-SRG-NET-000279-NDM-000188_chk )
Verify the network device prevents access to organizationally defined security-relevant information except during secure, non-operable system states. If the network device does not prevent access to organizationally defined security-relevant information except during secure, non-operable system states, this is a finding.

Fix Text (F-SRG-NET-000279-NDM-000188_fix)
Configure the network device to prevent access to organizationally defined security-relevant information except during secure, non-operable system states.