The network device must transmit organization-defined access authorization information using organization-defined security safeguards to organization-defined information systems which enforce access control decisions.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-55211	SRG-APP-000325-NDM-000285	SV-69457r1_rule		Medium

Description
Protecting access authorization information (i.e., access control decisions) ensures that authorization information cannot be altered, spoofed, or otherwise compromised during transmission. In distributed information systems, authorization processes and access control decisions may occur in separate parts of the systems. In such instances, authorization information is transmitted securely so timely access control decisions can be enforced at the appropriate locations. To support the access control decisions, it may be necessary to transmit, as part of the access authorization information, supporting security attributes. This is because, in distributed information systems, there are various access control decisions that need to be made, and different entities (e.g., services) make these decisions in a serial fashion, each requiring some security attributes to make the decisions.

Description

Protecting access authorization information (i.e., access control decisions) ensures that authorization information cannot be altered, spoofed, or otherwise compromised during transmission. In distributed information systems, authorization processes and access control decisions may occur in separate parts of the systems. In such instances, authorization information is transmitted securely so timely access control decisions can be enforced at the appropriate locations. To support the access control decisions, it may be necessary to transmit, as part of the access authorization information, supporting security attributes. This is because, in distributed information systems, there are various access control decisions that need to be made, and different entities (e.g., services) make these decisions in a serial fashion, each requiring some security attributes to make the decisions.

STIG	Date
Network Device Management Security Requirements Guide	2015-06-26

Details

Check Text ( C-55829r1_chk )
Determine if the network device transmits organization-defined access authorization information using organization-defined security safeguards to organization-defined information systems which enforce access control decisions. This requirement may be verified by demonstration, configuration review, or validated test results. If the network device transmits organization-defined access authorization information without using organization-defined security safeguards, this is a finding.

Check Text ( C-55829r1_chk )

Determine if the network device transmits organization-defined access authorization information using organization-defined security safeguards to organization-defined information systems which enforce access control decisions. This requirement may be verified by demonstration, configuration review, or validated test results. If the network device transmits organization-defined access authorization information without using organization-defined security safeguards, this is a finding.

Fix Text (F-60073r1_fix)
Configure the network device to transmit organization-defined access authorization information using organization-defined security safeguards to organization-defined information systems which enforce access control decisions.