UCF STIG Viewer Logo

Network Infrastructure Policy Security Technical Implementation Guide


Overview

Date Finding Count (67)
2022-06-07 CAT I (High): 6 CAT II (Med): 40 CAT III (Low): 21
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-251348 High Encapsulated and/or encrypted traffic received from another enclave must not bypass the network perimeter defense without being terminated and inspected before entering the enclaves private network.
V-251367 High The organization must implement a deep packet inspection solution when protecting perimeter boundaries.
V-251368 High A deny-by-default security posture must be implemented for traffic entering and leaving the enclave.
V-251350 High DSAWG approval must be obtained before tunneling classified traffic outside the components local area network boundaries across a non-DISN or OCONUS DISN unclassified IP wide area network transport infrastructure.
V-251333 High Written mission justification approval must be obtained from the Office of the DoD CIO prior to establishing a direct connection to the Internet via commercial service provider outside DoD CIO approved Internet access points (e.g. DISA IAP, Cloud Access Point, NIPRnet Federated Gateway, DREN IAP, etc.).
V-251380 High Enabling a connection that extends DISN IP network connectivity (e.g., NIPRNet and SIPRNet) to any DoD Vendor, Foreign, or Federal Mission Partner enclave or network without a signed DoD CIO approved sponsorship memo is prohibited. For classified connectivity it must be to a DSS approved contractor facility or DoD Component approved foreign government facility.
V-251354 Medium All external connections must be validated and approved by the Authorizing Official (AO) and the Connection Approval Office (CAO) and meeting Connection Approval Process (CAP) requirements.
V-251351 Medium Tunneling of classified traffic across an unclassified IP transport network must employ cryptographic algorithms in accordance with CNSS Policy No. 15.
V-251397 Medium The number of source-group (SG) states must be limited within the multicast topology where Any Source Multicast (ASM) is deployed.
V-251396 Medium The number of mroute states resulting from Internet Group Management Protocol (IGMP) or Multicast Listener Discovery (MLD) membership reports must be limited.
V-251394 Medium Multicast register messages must be rate limited per each source-group (S, G) entry.
V-251339 Medium Sensor traffic in transit must be protected at all times via an Out-of-Band (OOB) network or an encrypted tunnel between site locations.
V-251338 Medium An Intrusion Detection and Prevention System (IDPS) must be deployed to monitor all unencrypted traffic entering and leaving the enclave.
V-251363 Medium All network infrastructure devices must be located in a secure room with limited access.
V-251360 Medium Network Address Translation (NAT) and private IP address space must not be deployed within the SIPRNet enclave.
V-251361 Medium Dynamic Host Configuration Protocol (DHCP) audit and event logs must record sufficient forensic data to be stored online for thirty days and offline for one year.
V-251364 Medium All hosted NIPRNet-only applications must be located in a local enclave Demilitarized Zone (DMZ).
V-251365 Medium All Internet-facing applications must be hosted in a DoD Demilitarized Zone (DMZ) Extension.
V-251340 Medium Intrusion Detection and Prevention System (IDPS) traffic between the sensor and the security management or sensor data collection servers must traverse a dedicated Virtual Local Area Network (VLAN) logically separating IDPS traffic from all other enclave traffic.
V-251342 Medium If a Secure File Transfer Protocol (SFTP) server is used to provide updates to the sensors, the server must be configured to allow read-only access to the files within the directory on which the signature packs are placed.
V-251349 Medium Tunneling of classified traffic across an unclassified IP transport network or service provider backbone must be documented in the enclaves security authorization package and an Approval to Connect (ATC), or an Interim ATC must be issued by DISA prior to implementation.
V-251359 Medium All global address ranges used on unclassified and classified networks must be properly registered with the DoD Network Information Center (NIC).
V-251372 Medium A dedicated management network must be implemented.
V-251388 Medium Protocol Independent Multicast (PIM) must be disabled on all router interfaces that are not required to support multicast routing.
V-251353 Medium Network topology diagrams for the enclave must be maintained and up to date at all times.
V-251381 Medium Command and Control (C2) and non-C2 exceptions of SIPRNet must be documented in the enclaves accreditation package and an Authority to Connect (ATC) or Interim ATC amending the connection approval received prior to implementation.
V-251382 Medium VPN gateways used to create IP tunnels to transport classified traffic across an unclassified IP network must comply with appropriate physical security protection standards for processing classified information.
V-251383 Medium Multi-Protocol Labeled Switching (MPLS) protocols deployed to build Label-Switch Path (LSP) tunnels must authenticate all messages with a hash function using the most secured cryptographic algorithm available.
V-251384 Medium Multi-Protocol Labeled Switching (MPLS) labels must not be exchanged between the enclaves edge routers and any external neighbor routers.
V-251346 Medium The organization must establish weekly data backup procedures for the network Intrusion Detection and Prevention System (IDPS) data.
V-251358 Medium External network connections must not bypass the enclaves perimeter security.
V-251369 Medium Two-factor authentication must be implemented to restrict access to all network elements.
V-251352 Medium The organization must ensure all switches and associated cross-connect hardware are kept in a secure Intermediate Distribution Frame (IDF) or an enclosed cabinet that is kept locked.
V-251335 Medium An Intrusion Detection and Prevention System (IDPS) sensor must be deployed to monitor all Demilitarized Zone (DMZ) segments housing public servers.
V-251377 Medium An Out-of-Band (OOB) management network must be deployed or 24x7 personnel must have console access for device management.
V-251376 Medium The organization must encrypt all network device configurations while stored offline.
V-251371 Medium A policy must be implemented to keep Bogon/Martian rulesets up to date.
V-251366 Medium When protecting the boundaries of a network, the firewall must be placed between the private network and the perimeter router and the Demilitarized Zone (DMZ).
V-251357 Medium If the site has a non-DoD external connection (i.e. Approved Gateway), an Intrusion Detection and Prevention System (IDPS) must be located between the sites Approved Gateway and the perimeter router.
V-251356 Medium External connections to the network must be reviewed and the documentation updated semi-annually.
V-251355 Medium Prior to having external connection provisioned between enclaves, a Memorandum of Agreement (MOA) or Memorandum of Understanding (MOU) must be established.
V-251343 Medium If an automated scheduler is used to provide updates to the sensors, an account on the file server must be defined that will provide access to the signatures only to the sensors.
V-251379 Medium Annual reviews must be performed on all Releasable Local Area Network (REL LAN) environments.
V-251378 Medium All Releasable Local Area Network (REL LAN) environments must be documented in the System Security Authorization Agreement (SSAA).
V-251337 Medium An Intrusion Detection and Prevention System (IDPS) sensor must be deployed to monitor network segments that house network security management servers.
V-251336 Medium An Intrusion Detection and Prevention System (IDPS) sensor must be deployed to monitor the network segment hosting web, application, and database servers.
V-251399 Low First-hop redundancy services must be configured to delay any preempt to provide enough time for the Internet Gateway Protocol (IGP) to stabilize.
V-251398 Low Internet Group Management Protocol (IGMP) or Multicast Listener Discovery (MLD) snooping must be implemented within the network access layer.
V-251393 Low Protocol Independent Multicast (PIM) join messages received from a downstream multicast Designated Routers (DR) must be filtered for any reserved or any other undesirable multicast groups.
V-251392 Low Protocol Independent Multicast (PIM) register messages received from a downstream multicast Designated Routers (DR) must be filtered for any reserved or any other undesirable multicast groups.
V-251391 Low The multicast domain must block inbound and outbound Auto-RP discovery and announcement messages at the edge.
V-251390 Low The multicast domain must block inbound and outbound administratively-scoped multicast traffic at the edge.
V-251395 Low Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) report messages must be filtered to allow hosts to join only those multicast groups that have been approved by the organization.
V-251385 Low Label Distribution Protocol (LDP) must be synchronized with the Interior Gateway Protocol (IGP) to minimize packet loss when an IGP adjacency is established prior to LDP peers completing label exchange.
V-251362 Low Dynamic Host Configuration Protocol (DHCP) servers used within SIPRNet infrastructure must be configured with a minimum lease duration time of 30 days.
V-251344 Low The Intrusion Detection and Prevention System (IDPS) configuration must be backed up before applying software or signature updates, or when making changes to the configuration.
V-251345 Low The Intrusion Detection and Prevention System (IDPS) file checksums provided by the vendor must be compared and verified with checksums computed from CD or downloaded files.
V-251347 Low The Intrusion Detection and Prevention System (IDPS) software and signatures must be updated when updates are provided by the vendor.
V-251341 Low Products collecting baselines for anomaly-based detection must have their baselines rebuilt based on changes to mission requirements such as Information Operations Conditions (INFOCON) levels and when the traffic patterns are expected to change significantly.
V-251389 Low A Protocol Independent Multicast (PIM) neighbor filter must be implemented to restrict and control multicast traffic.
V-251386 Low Rapid Spanning Tree Protocol (STP) must be implemented at the access and distribution layers where Virtual Local Area Networks (VLANs) span multiple switches.
V-251387 Low A Quality of Service (QoS) policy must be implemented to provide preferred treatment for Command and Control (C2) real-time services and control plane traffic.
V-251334 Low The connection between the Channel Service Unit/Data Service Unit (CSU/DSU) and the Local Exchange Carriers (LEC) data service jack (i.e., demarc) as well as any service provider premise equipment must be located in a secure environment.
V-251375 Low Current and previous network element configurations must be stored in a secured location.
V-251374 Low Syslog messages must be retained for a minimum of 30 days online and then stored offline for one year.
V-251370 Low Two Network Time Protocol (NTP) servers must be deployed in the management network.
V-251373 Low A centralized syslog server must be deployed in the management network.