UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Network Device Management Security Requirements Guide


Overview

Date Finding Count (135)
2019-09-27 CAT I (High): 13 CAT II (Med): 122 CAT III (Low): 0
STIG Description
The Network Device Management Security Requirements Guide (SRG) is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the NIST 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC I - Mission Critical Sensitive)

Finding ID Severity Title
V-55171 High The network device must only allow authorized administrators to view or change the device configuration, system files, and other files stored either in the device or on removable media (such as a flash drive).
V-55141 High The network device, when utilizing PKI-based authentication, must accept only certificates issued by a DoD-approved Certificate Authority.
V-55149 High The network device must obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.
V-55153 High The network device must use FIPS 140-2 approved algorithms for authentication to a cryptographic module.
V-55159 High The network device must terminate all network connections associated with a device management session at the end of the session, or the session must be terminated after 10 minutes of inactivity except to fulfill documented and validated mission requirements.
V-55265 High The network devices must use FIPS-validated Keyed-Hash Message Authentication Code (HMAC) to protect the integrity of nonlocal maintenance and diagnostic communications.
V-55267 High The network device must be configured to implement cryptographic mechanisms using a FIPS 140-2 approved algorithm to protect the confidentiality of remote maintenance sessions
V-55131 High The network device must only store cryptographic representations of passwords.
V-55133 High The network device must transmit only encrypted representations of passwords.
V-55101 High The network device must be configured to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services
V-55103 High The network device must uniquely identify and authenticate organizational administrators (or processes acting on behalf of organizational administrators).
V-55221 High The network device must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
V-55051 High The network device must enforce the assigned privilege level for each administrator and authorizations for access to all commands relative to the privilege level in accordance with applicable policy for the device.
V-55219 Medium The network device must prevent the installation of patches, service packs, or application components without verification the software component has been digitally signed using a certificate that is recognized and approved by the organization.
V-55215 Medium If the network device uses discretionary access control, the network device must enforce organization-defined discretionary access control policies over defined subjects and objects.
V-55217 Medium If the network device uses role-based access control, the network device must enforce organization-defined role-based access control policies over defined subjects and objects.
V-55211 Medium The network device must be compliant with at least one IETF Internet standard authentication protocol.
V-55213 Medium The network device must use cryptographic mechanisms to protect the integrity of audit information at rest.
V-55295 Medium The network device must generate log records for a locally developed list of auditable events
V-55045 Medium The network device must automatically audit account modification.
V-55297 Medium The network device must enforce access restrictions associated with changes to the system components.
V-55047 Medium The network device must automatically audit account disabling actions.
V-55291 Medium The network device must notify the administrator of the number of successful login attempts occurring during an organization-defined time period.
V-55041 Medium The network device must automatically disable accounts after a 35-day period of account inactivity.
V-55293 Medium The network device must use automated mechanisms to alert security personnel to threats identified by authoritative sources (e.g. CTOs) and IAW with CJCSM 6510.01B.
V-55043 Medium The network device must automatically audit account creation.
V-55163 Medium The network device must recognize only system-generated session identifiers.
V-55161 Medium The network device must invalidate session identifiers upon administrator logout or other session termination.
V-55167 Medium The network device must generate unique session identifiers using a FIPS 140-2 approved random number generator.
V-55049 Medium The network device must automatically audit account removal actions.
V-55165 Medium The network device must use internal system clocks to generate time stamps for audit records.
V-55209 Medium The network device must back up audit records at least every seven days onto a different system or system component than the system or component being audited.
V-55203 Medium The network device must automatically audit account enabling actions.
V-55201 Medium The network device must terminate shared/group account credentials when members leave the group.
V-55207 Medium The network device must notify System Administrators (SAs) and Information System Security Officers (ISSMs) when accounts are created, or enabled when previously disabled.
V-55205 Medium The network device must protect audit tools from unauthorized deletion.
V-55071 Medium The network device must notify the administrator, upon successful logon (access), of the location of last logon (terminal or IP address) in addition to the date and time of the last logon (access).
V-55283 Medium The network device must generate audit records when concurrent logons from different workstations occur.
V-55073 Medium The network device must provide the capability for organization-identified individuals or roles to change the auditing to be performed based on all selectable event criteria within near-real-time.
V-55281 Medium The network device must generate audit records showing starting and ending time for administrator access to the system.
V-55075 Medium The network device must allocate audit record storage capacity in accordance with organization-defined audit record storage requirements.
V-55287 Medium The network device must off-load audit records onto a different system or media than the system being audited.
V-55077 Medium The network device must generate an immediate alert when allocated audit record storage volume reaches 75% of repository maximum audit record storage capacity.
V-55079 Medium The network device must generate an immediate real-time alert of all audit failure events requiring real-time alerts.
V-55173 Medium The network device must protect audit information from unauthorized modification.
V-55175 Medium The network device or authentication server must never automatically remove or disable emergency administrator accounts.
V-55145 Medium The network device must map the authenticated identity to the user account for PKI-based authentication.
V-55147 Medium The network device must generate audit records containing the full-text recording of privileged commands.
V-55143 Medium The network device must generate audit records containing information that establishes the identity of any individual or process associated with the event.
V-55179 Medium The network device must protect audit information from unauthorized deletion.
V-55197 Medium Network devices must provide a logout capability for administrator-initiated communication sessions.
V-55279 Medium The network device must generate audit records for privileged activities or other system-level access.
V-55069 Medium The network device must automatically lock the account until the locked account is released by an administrator when three unsuccessful login attempts in 15 minutes are exceeded.
V-55277 Medium The network device must generate audit records when successful/unsuccessful logon attempts occur.
V-55067 Medium The network device must audit the execution of privileged functions.
V-55275 Medium The network device must generate audit records when successful/unsuccessful attempts to delete administrator privileges occur.
V-55065 Medium The network device must notify the administrator of changes to access and/or privilege parameters of the administrators account that occurred since the last logon.
V-55273 Medium The network device must generate audit records when successful/unsuccessful attempts to modify administrator privileges occur.
V-55063 Medium Upon successful login, the network device must notify the administrator of the number of unsuccessful login attempts since the last successful login.
V-55271 Medium If the network device uses mandatory access control, the network device must enforce organization-defined mandatory access control policies over all subjects and objects.
V-55061 Medium Upon successful login, the network device must notify the administrator of the date and time of the last login.
V-55311 Medium The network device must employ automated mechanisms to assist in the tracking of security incidents.
V-55093 Medium The network device must initiate session auditing upon startup.
V-55091 Medium The network device must generate audit records when successful/unsuccessful attempts to access privileges occur.
V-55097 Medium The network device must produce audit records containing information to establish when (date and time) the events occurred.
V-55095 Medium The network device must produce audit log records containing sufficient information to establish what type of event occurred.
V-55099 Medium The network device must produce audit records containing information to establish where the events occurred.
V-55303 Medium The network device must employ automated mechanisms to centrally verify authentication settings.
V-55301 Medium The network device must employ automated mechanisms to centrally apply authentication settings.
V-55151 Medium The network device must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.
V-55307 Medium The network device must be configured to to conduct backups of system level information contained in the information system when changes occur.
V-55157 Medium The network device must shut down by default upon audit failure (unless availability is an overriding concern).
V-55305 Medium The network device must employ automated mechanisms to detect the addition of unauthorized components or devices.
V-55155 Medium The network device must terminate all sessions and network connections when nonlocal device maintenance is completed.
V-55309 Medium The network device must support organizational requirements to conduct backups of information system documentation, including security-related documentation, when changes occur or weekly, whichever is sooner.
V-55269 Medium The network device must be configured to protect against known types of denial-of-service (DoS) attacks by employing organization-defined security safeguards.
V-63997 Medium The network device must not have any default manufacturer passwords when deployed.
V-55261 Medium The network device must prohibit the use of cached authenticators after an organization-defined time period.
V-55263 Medium Network devices performing maintenance functions must restrict use of these functions to authorized personnel only.
V-55085 Medium The network device must protect against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation.
V-55089 Medium The network device must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited.
V-55127 Medium The network device must require that when a password is changed, the characters are changed in at least eight of the positions within the password.
V-55313 Medium The network device must obtain its public key certificates from an appropriate certificate policy through an approved service provider.
V-55315 Medium The network device must limit privileges to change the software resident within software libraries.
V-55259 Medium The network device must allow the use of a temporary password for system logons with an immediate change to a permanent password.
V-55125 Medium The network device must enforce password complexity by requiring that at least one special character be used.
V-55123 Medium The network device must enforce password complexity by requiring that at least one numeric character be used.
V-55121 Medium The network device must enforce password complexity by requiring that at least one lower-case character be used.
V-55251 Medium The network device must accept Personal Identity Verification (PIV) credentials.
V-55253 Medium The network device must electronically verify Personal Identity Verification (PIV) credentials.
V-55255 Medium The Cisco router must be configured to authenticate SNMP messages using a FIPS-validated Keyed-Hash Message Authentication Code (HMAC).
V-55129 Medium The network device must produce audit log records containing information to establish the source of events.
V-55035 Medium The network device must retain the session lock until the administrator reestablishes access using established identification and authentication procedures.
V-55247 Medium The network device must require users to re-authenticate when privilege escalation or role changes occur.
V-55037 Medium The network element must provide automated support for account management functions.
V-55245 Medium The network device must audit the enforcement actions used to restrict access associated with changes to the device.
V-55031 Medium The network device must initiate a session lock after a 15-minute period of inactivity.
V-55243 Medium The network device must enforce access restrictions associated with changes to device configuration.
V-55033 Medium The application or console being used to administer a network device must provide the capability for network administrators to directly initiate a session lock.
V-55299 Medium The network device must be configured to use an authentication server for the purpose of authenticating users prior to granting administrative access.
V-55039 Medium The network device must automatically remove or disable temporary user accounts after 72 hours.
V-55135 Medium The network device must enforce 24 hours as the minimum password lifetime.
V-55137 Medium The network device must produce audit records that contain information to establish the outcome of the event.
V-55139 Medium The network device must enforce a 60-day maximum password lifetime restriction.
V-80967 Medium The network device, when utilizing PKI-based authentication, must not accept revoked certificates.
V-55189 Medium The network device must generate alerts that can be forwarded to the administrators and IAO when accounts are disabled.
V-55231 Medium The network device must be configured to synchronize internal information system clocks using redundant authoritative time sources.
V-55237 Medium The network device must generate an alert that will then be sent to the ISSO, ISSM, and other designated personnel (deemed appropriate by the local organization) when the unauthorized installation of software is detected.
V-55027 Medium The network device must limit the number of concurrent sessions to an organization-defined number for each administrator account and/or administrator account type.
V-55235 Medium The network device must record time stamps for audit records that meet a granularity of one second for a minimum degree of precision.
V-55181 Medium The network device must activate a system alert message, send an alarm, and/or automatically shut down when a component failure is detected.
V-55239 Medium The network device must prohibit installation of software without explicit privileged status.
V-55029 Medium The network device must conceal, via the session lock, information previously visible on the display with a publicly viewable image.
V-55185 Medium The network device must generate alerts that can be forwarded to the administrators and IAO when accounts are created.
V-55187 Medium The network device must generate alerts that can be forwarded to the administrators and ISSO when accounts are modified.
V-55105 Medium The network device must use multifactor authentication for network access to privileged accounts.
V-55107 Medium The network device must use multifactor authentication for local access to privileged accounts.
V-55109 Medium The network device must be configured to authenticate each administrator prior to authorizing privileges based on assignment of group or role.
V-55233 Medium The network device must record time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).
V-64001 Medium The network device must be configured with only one local account to be used as the account of last resort in the event the authentication server is unavailable.
V-55257 Medium The network device must dynamically manage identifiers.
V-55193 Medium The network device must generate alerts that can be forwarded to the administrators and IAO when accounts are removed.
V-55191 Medium The network device must protect audit tools from unauthorized modification.
V-55199 Medium The network device must display an explicit logout message to administrators indicating the reliable termination of authenticated communications sessions.
V-68747 Medium The network device must authenticate Network Time Protocol sources using authentication that is cryptographically based.
V-55113 Medium The network device must disable identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.
V-55057 Medium The network device must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the device.
V-55055 Medium The network device must be configured to enforce the limit of three consecutive invalid logon attempts, after which time it must lock out the user account from accessing the device for 15 minutes.
V-55053 Medium The network device must enforce approved authorizations for controlling the flow of management information within the network device based on information flow control policies.
V-55119 Medium The network device must enforce password complexity by requiring that at least one upper-case character be used.
V-55117 Medium The network device must prohibit password reuse for a minimum of five generations.
V-55115 Medium The network device must enforce a minimum 15-character password length.
V-55183 Medium The network device must protect audit tools from unauthorized access.
V-55059 Medium The network device must retain the Standard Mandatory DoD Notice and Consent Banner on the screen until the administrator acknowledges the usage conditions and takes explicit actions to log on for further access.
V-55111 Medium The network device must implement replay-resistant authentication mechanisms for network access to privileged accounts.