UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Network Infrastructure Policy Security Technical Implementation Guide


Overview

Date Finding Count (74)
2017-12-07 CAT I (High): 7 CAT II (Med): 45 CAT III (Low): 22
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC II - Mission Support Classified)

Finding ID Severity Title
V-12072 High Unclassified wireless devices must not be allowed in a Sensitive Compartmented Information Facility (SCIF) unless approved by the SCIF Cognizant Security Authority (CSA) in accordance with Intelligence Community Directive (ICD) 503, ICD 705, DIA SCIF policy requirements, the Authorizing Official (AO) and local Special Security officer (SSO).
V-14642 High The organization must implement a deep packet inspection solution when protecting perimeter boundaries.
V-11796 High A deny-by-default security posture must be implemented for traffic entering and leaving the enclave.
V-14740 High DSAWG approval must be obtained before tunneling classified traffic outside the components local area network boundaries across a non-DISN or OCONUS DISN unclassified IP wide area network transport infrastructure.
V-14741 High Enabling a connection that extends DISN IP network connectivity (e.g., NIPRNet and SIPRNet) to any DoD Vendor, Foreign, or Federal Mission Partner enclave or network without a signed DoD CIO approved sponsorship memo is prohibited. For classified connectivity it must be to a DSS approved contractor facility or DoD Component approved foreign government facility.
V-8051 High Written mission justification approval must be obtained from the Office of the DoD CIO prior to establishing a direct connection to the Internet via commercial service provider outside DoD CIO approved Internet access points (e.g. DISA IAP, Cloud Access Point, NIPRnet Federated Gateway, DREN IAP, etc.).
V-14737 High Encapsulated and/or encrypted traffic received from another enclave must not bypass the network perimeter defense without being terminated and inspected before entering the enclaves private network.
V-14634 Medium If the site has a non-DoD external connection (i.e. Approved Gateway), an Intrusion Detection and Prevention System (IDPS) must be located between the sites Approved Gateway and the perimeter router.
V-8066 Medium When protecting the boundaries of a network, the firewall must be placed between the private network and the perimeter router and the Demilitarized Zone (DMZ).
V-18506 Medium If a Secure File Transfer Protocol (SFTP) server is used to provide updates to the sensors, the server must be configured to allow read-only access to the files within the directory on which the signature packs are placed.
V-19900 Medium The cryptography implemented by the Wireless Local Area Network (WLAN) components must be FIPS 140-2 validated.
V-8052 Medium External network connections must not bypass the enclaves perimeter security.
V-14638 Medium All hosted NIPRNet-only applications must be located in a local enclave Demilitarized Zone (DMZ).
V-14716 Medium An Out-of-Band (OOB) management network must be deployed for MAC I systems or 24x7 personnel must have console access for device management.
V-31637 Medium Network Address Translation (NAT) and private IP address space must not be deployed within the SIPRNet enclave.
V-8048 Medium External connections to the network must be reviewed and the documentation updated semi-annually.
V-31632 Medium All global address ranges used on unclassified and classified networks must be properly registered with the DoD Network Information Center (NIC).
V-8047 Medium All external connections must be validated and approved by the Authorizing Official (AO) and the Connection Approval Office (CAO) and meeting Connection Approval Process (CAP) requirements.
V-8046 Medium Network topology diagrams for the enclave must be maintained and up to date at all times.
V-66389 Medium The number of mroute states resulting from Internet Group Management Protocol (IGMP) or Multicast Listener Discovery (MLD) membership reports must be limited.
V-30255 Medium The Wireless Local Area Network (WLAN) must be Wi-Fi Protected Access 2 (WPA2)-Enterprise certified by the Wi-Fi Alliance.
V-18507 Medium If an automated scheduler is used to provide updates to the sensors, an account on the file server must be defined that will provide access to the signatures only to the sensors.
V-14723 Medium Two-factor authentication must be implemented to restrict access to all network elements.
V-8081 Medium The organization must ensure all switches and associated cross-connect hardware are kept in a secure Intermediate Distribution Frame (IDF) or an enclosed cabinet that is kept locked.
V-18496 Medium Sensor traffic in transit must be protected at all times via an Out-of-Band (OOB) network or an encrypted tunnel between site locations.
V-18497 Medium Intrusion Detection and Prevention System (IDPS) traffic between the sensor and the security management or sensor data collection servers must traverse a dedicated Virtual Local Area Network (VLAN) logically separating IDPS traffic from all other enclave traffic.
V-18490 Medium An Intrusion Detection and Prevention System (IDPS) sensor must be deployed to monitor all Demilitarized Zone (DMZ) segments housing public servers.
V-18492 Medium An Intrusion Detection and Prevention System (IDPS) sensor must be deployed to monitor the network segment hosting web, application, and database servers.
V-18493 Medium An Intrusion Detection and Prevention System (IDPS) sensor must be deployed to monitor network segments that house network security management servers.
V-14640 Medium All Internet-facing applications must be hosted in a DoD Demilitarized Zone (DMZ) Extension.
V-66379 Medium Multicast register messages must be rate limited per each source-group (S, G) entry.
V-66365 Medium Protocol Independent Multicast (PIM) must be disabled on all router interfaces that are not required to support multicast routing.
V-14745 Medium VPN gateways used to create IP tunnels to transport classified traffic across an unclassified IP network must comply with appropriate physical security protection standards for processing classified information.
V-14742 Medium Command and Control (C2) and non-C2 exceptions of SIPRNet must be documented in the enclaves accreditation package and an Authority to Connect (ATC) or Interim ATC amending the connection approval received prior to implementation.
V-14743 Medium Tunneling of classified traffic across an unclassified IP transport network must employ cryptographic algorithms in accordance with CNSS Policy No. 15.
V-12101 Medium All Releasable Local Area Network (REL LAN) environments must be documented in the System Security Authorization Agreement (SSAA).
V-8078 Medium The organization must establish weekly data backup procedures for the network Intrusion Detection and Prevention System (IDPS) data.
V-17772 Medium A dedicated management network must be implemented.
V-66391 Medium The number of source-group (SG) states must be limited within the multicast topology where Any Source Multicast (ASM) is deployed.
V-8054 Medium All network infrastructure devices must be located in a secure room with limited access.
V-66349 Medium Prior to having external connection provisioned between enclaves, a Memorandum of Agreement (MOA) or Memorandum of Understanding (MOU) must be established.
V-12106 Medium Unclassified wireless devices must not be operated in Secure Spaces (as defined in DoDI 8420.01) unless required conditions are followed.
V-23735 Medium The organization must encrypt all network device configurations while stored offline.
V-66353 Medium Multi-Protocol Labeled Switching (MPLS) protocols deployed to build Label-Switch Path (LSP) tunnels must authenticate all messages with a hash function using the most secured cryptographic algorithm available.
V-8272 Medium An Intrusion Detection and Prevention System (IDPS) must be deployed to monitor all unencrypted traffic entering and leaving the enclave.
V-66355 Medium Multi-Protocol Labeled Switching (MPLS) labels must not be exchanged between the enclaves edge routers and any external neighbor routers.
V-66359 Medium VLAN Trunk Protocol (VTP) messages must be authenticated with a hash function using the most secured cryptographic algorithm available.
V-25319 Medium DoD Components providing Internet-only guest access must use separate WLAN or logical segmentation of the host WLAN (e.g., separate service set identifier (SSID) and virtual LAN) or DoD network.
V-14738 Medium Tunneling of classified traffic across an unclassified IP transport network or service provider backbone must be documented in the enclaves security authorization package and an Approval to Connect (ATC), or an Interim ATC must be issued by DISA prior to implementation.
V-18596 Medium The site must conduct continuous wireless Intrusion Detection System (IDS) scanning.
V-33831 Medium A policy must be implemented to keep Bogon/Martian rulesets up to date.
V-12102 Medium Annual reviews must be performed on all Releasable Local Area Network (REL LAN) environments.
V-8061 Low Current and previous network element configurations must be stored in a secured location.
V-8060 Low A centralized syslog server must be deployed in the management network.
V-8049 Low The connection between the Channel Service Unit/Data Service Unit (CSU/DSU) and the Local Exchange Carriers (LEC) data service jack (i.e., demarc) as well as any service provider premise equipment must be located in a secure environment.
V-8100 Low Dynamic Host Configuration Protocol (DHCP) servers used within SIPRNet infrastructure must be configured with a minimum lease duration time of 30 days.
V-8080 Low The Intrusion Detection and Prevention System (IDPS) software and signatures must be updated when updates are provided by the vendor.
V-18511 Low The Intrusion Detection and Prevention System (IDPS) file checksums provided by the vendor must be compared and verified with checksums computed from CD or downloaded files.
V-18510 Low The Intrusion Detection and Prevention System (IDPS) configuration must be backed up before applying software or signature updates, or when making changes to the configuration.
V-66369 Low The multicast domain must block inbound and outbound administratively-scoped multicast traffic at the edge.
V-66363 Low A Quality of Service (QoS) policy must be implemented to provide preferred treatment for Command and Control (C2) real-time services and control plane traffic.
V-66361 Low Rapid Spanning Tree Protocol (STP) must be implemented at the access and distribution layers where Virtual Local Area Networks (VLANs) span multiple switches.
V-66367 Low A Protocol Independent Multicast (PIM) neighbor filter must be implemented to restrict and control multicast traffic.
V-66397 Low First-hop redundancy services must be configured to delay any preempt to provide enough time for the Internet Gateway Protocol (IGP) to stabilize.
V-8099 Low Dynamic Host Configuration Protocol (DHCP) audit and event logs must record hostnames and MAC addresses to be stored online for thirty days and offline for one year.
V-66393 Low Internet Group Management Protocol (IGMP) or Multicast Listener Discovery (MLD) snooping must be implemented within the network access layer.
V-17860 Low Two Network Time Protocol (NTP) servers must be deployed in the management network.
V-66351 Low Syslog messages must be retained for a minimum of 30 days online and then stored offline for one year.
V-66357 Low Label Distribution Protocol (LDP) must be synchronized with the Interior Gateway Protocol (IGP) to minimize packet loss when an IGP adjacency is established prior to LDP peers completing label exchange.
V-66381 Low Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) report messages must be filtered to allow hosts to join only those multicast groups that have been approved by the organization.
V-66371 Low The multicast domain must block inbound and outbound Auto-RP discovery and announcement messages at the edge.
V-18504 Low Products collecting baselines for anomaly-based detection must have their baselines rebuilt based on changes to mission requirements such as Information Operations Conditions (INFOCON) levels and when the traffic patterns are expected to change significantly.
V-66373 Low Protocol Independent Multicast (PIM) register messages received from a downstream multicast Designated Routers (DR) must be filtered for any reserved or any other undesirable multicast groups.
V-66375 Low Protocol Independent Multicast (PIM) join messages received from a downstream multicast Designated Routers (DR) must be filtered for any reserved or any other undesirable multicast groups.