UCF STIG Viewer Logo

Network Security Requirements Guide



Findings (MAC II - Mission Support Classified)

Finding ID Severity Title
V-27265 Medium The network element must be configured to enable automated mechanisms to enforce access restrictions.
V-27361 Medium The information system must prevent remote devices that have established a non-remote connection with the system from communicating outside of the communications path with resources in external networks.
V-27345 Medium The network element must enforce authorized access to the corresponding private key for PKI-based authentication.
V-27287 Medium The network element must limit privileges to change software resident within software libraries.
V-27313 Medium The network element must support organizational requirements to ensure individuals are authenticated with an individual authenticator prior to using a group authenticator.
V-27508 Medium The network element must generate error messages providing information necessary for corrective actions without revealing organization-defined sensitive or potentially harmful information in error logs and administrative messages that could be exploited.
V-27289 Medium The network element must implement automatic safeguards and countermeasures if security functions or mechanisms are changed inappropriately.
V-27312 Medium The network element must use multifactor authentication for local access to non-privileged accounts.
V-27317 Medium The network element must use organization-defined replay-resistant authentication mechanisms for network access to non-privileged accounts.
V-27343 Medium The network element must enforce maximum password lifetime restrictions.
V-27418 Medium The network element must prevent non-privileged users from circumventing malicious code protection capabilities.
V-27419 Medium The network element must deny network traffic by default and allow network traffic by exception at all interfaces at the network perimeter.
V-27340 Medium The network element must enforce password encryption for storage.
V-27370 Medium The network element must employ cryptographic mechanisms to protect the integrity and confidentiality of non-local maintenance and diagnostic communications.
V-27412 Medium The network element must address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system.
V-27413 Medium The network element must be configured to implement automated mechanisms on an organization-defined frequency to determine the state of information system components with regard to flaw remediation.
V-27410 Medium The network element must prevent discovery of specific system components or devices composing a managed interface.
V-27341 Medium The network element must enforce password encryption for transmission.
V-27416 Medium The network element must prevent access into the organization’s internal networks except as explicitly permitted and controlled by employing boundary protection devices.
V-26997 Medium The network element must produce log records that contain sufficient information to establish what type of events occurred.
V-27414 Medium The network element must employ automated mechanisms to enforce strict adherence to protocol format.
V-27415 Medium The network element must automatically update malicious code protection mechanisms and signature definitions.
V-26727 Medium The network element must prevent access to organization-defined security-relevant information except during secure, non-operable system states.
V-26726 Medium The information system must enforce an organization-defined Discretionary Access Control (DAC) policy allowing users to specify and control sharing by named individuals, groups of individuals, or by both, limiting propagation of access rights and including or excluding access to the granularity of a single user.
V-26725 Medium The network element must implement nondiscretionary access control policies over an organization-defined set of users and resources.
V-27491 Medium The network element must detect attack attempts to the wireless network.
V-26723 Medium The network element must enforce the assigned privilege level for each administrator and authorizations for access to all commands relative to the privilege level in accordance with applicable policy for the device.
V-27497 Medium The network element must generate unique session identifiers with organization-defined randomness requirements.
V-26721 Medium The network element must monitor for irregular usage of administrative user accounts.
V-27363 Medium The information system or supporting environment must block both inbound and outbound traffic between instant messaging clients independently configured by end users and external service providers.
V-26885 Medium The network element must only allow authorized entities to change security attributes.
V-27201 Medium The network element must protect audit tools from unauthorized modification.
V-27499 Medium The information system must check the validity of information inputs.
V-27207 Medium The network element must protect audit tools from unauthorized deletion.
V-27369 Medium The network element must protect non-local maintenance sessions by separating the maintenance session from other network sessions with the device by either physically separated communications paths, or logically separated communications paths based upon encryption.
V-26744 Medium The network element must decompose information into policy-relevant subcomponents for submission to policy enforcement mechanisms when transferring information between different security domains.
V-27367 Medium The network element must prevent the download of prohibited mobile code.
V-27305 Medium The network element must support organizational requirements to conduct backups of user-level information contained in the device per organization-defined frequency that is consistent with recovery time and recovery point objectives.
V-27123 Medium The network element must provide an audit reduction capability.
V-26899 Medium The network element must allow authorized users to associate security attributes with information.
V-27112 Medium The network element must employ automated mechanisms to alert security personnel of any inappropriate or unusual activities with security implications.
V-27292 Medium The network element must employ automated mechanisms to centrally apply configuration settings.
V-27293 Medium The network element must employ automated mechanisms to centrally verify configuration settings.
V-27295 Medium The network element must employ automated mechanisms to respond to unauthorized changes to organization-defined configuration settings.
V-27296 Medium The network element must ensure that detected unauthorized security-relevant configuration changes are tracked.
V-27350 Medium The network element must be configured to automatically disable the device if any of the organization-defined list of security violations are detected.
V-27298 Medium The network element must not have unnecessary services and capabilities enabled.
V-27482 Medium The network element must take an organization-defined list of least-disruptive actions to terminate suspicious events.
V-27353 Medium The network element must automate mechanisms to restrict the use of maintenance tools to authorized personnel only.
V-27514 Medium The network element must enforce password complexity by the number of special characters used.
V-27493 Medium The organization must employ malicious code protection mechanisms at workstations, servers, or mobile computing devices on the network to detect and take action on unsolicited messages transported by electronic mail, electronic mail attachments, Web accesses, removable media, or other common means.
V-27372 Medium The network element must enforce identification and authentication for the establishment of non-local maintenance and diagnostic sessions.
V-26898 Medium The network element must maintain the binding of security attributes to information with sufficient assurance that the information-attribute association can be used as the basis for automated policy actions.
V-27218 Medium The network element must use cryptographic mechanisms to protect the integrity of audit information.
V-27219 Medium The network element must use cryptography to protect the integrity of audit tools.
V-27199 Medium The network element must protect audit tools from unauthorized access.
V-27352 Medium The organization must check all media containing diagnostic and test programs for malicious code before the media are used in the information system.
V-27355 Medium The network element must protect non-local maintenance sessions through the use of multifactor authentication.
V-27354 Medium The network element must log non-local maintenance and diagnostic sessions.
V-27468 Medium The network element must employ NSA-approved cryptography to protect classified information.
V-27359 Medium The information system must not share resources used to interface with systems operating at different security levels.
V-27358 Medium The organization (or information system) must enforce explicit rules governing the installation of software by users.
V-27465 Medium The network element must employ cryptographic protections using cryptographic modules complying with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
V-27464 Medium The network element must produce, control, and distribute asymmetric cryptographic keys using approved PKI Class 3 or Class 4 certificates and hardware security tokens that protect the user’s private key.
V-26738 Medium The network element must enforce approved authorizations for controlling the flow of information within the network in accordance with applicable policy.
V-27196 Medium The network element must protect audit information from unauthorized deletion.
V-27461 Medium The information system at organization-defined information system components must load and execute the operating environment from hardware-enforced, read-only media.
V-27194 Medium The network element must protect audit information from unauthorized modification.
V-27467 Medium The network element must employ FIPS-validated cryptography to protect unclassified information.
V-27490 Medium The organization must employ malicious code protection mechanisms at information system entry and exit points to detect and take action on unsolicited messages transported by electronic mail, electronic mail attachments, Web accesses, removable media, or other common means.
V-26993 Medium The network element must monitor for unauthorized connections of mobile devices to information systems.
V-27192 Medium The network element must protect audit information from unauthorized read access.
V-26991 Medium The network element must protect wireless access to the network using authentication.
V-27213 Medium The network element must backup log records on an organization-defined frequency onto a different system or media.
V-26994 Medium The network element must enforce requirements for the connection of mobile devices to organizational information systems.
V-26797 Medium The information system must provide additional protection for mobile devices accessed via login by purging information from the device after organization-defined number of consecutive, unsuccessful login attempts to the mobile device.
V-27108 Medium The network element must centralize the review and analysis of audit records from multiple network elements within the network.
V-27463 Medium The network element must produce, control, and distribute asymmetric cryptographic keys using approved PKI Class 3 certificates or prepositioned keying material.
V-27262 Medium The information system must provide the capability to capture/record and log all content related to a user session.
V-26996 Medium The information system must employ automated mechanisms to enable authorized users to make information sharing decisions based on access authorizations of sharing partners and access restrictions on information to be shared.
V-26739 Medium The network element must enforce approved authorizations for controlling the flow of information between interconnected networks in accordance with applicable policy.
V-27225 Medium The network must element protect against an individual falsely denying having performed a particular action.
V-30420 Medium The network element must prevent the execution of prohibited mobile code.
V-27223 Medium The network element must protect the audit records of non-local accesses to privileged accounts and the execution of privileged functions.
V-26781 Medium The network element must enforce information flow control on metadata.
V-27074 Medium The network element must invoke a system shutdown in the event of an audit failure, unless an alternative audit capability exists.
V-26783 Medium The network element must enforce organization-defined one-way traffic flows using hardware mechanisms.
V-27228 Medium The information system must associate the identity of the information producer with the information.
V-26793 Medium The information system must track problems associated with the information transfer.
V-27504 Medium The network element must provide notification of failed automated security tests.
V-27505 Medium The network element must provide automated support for the management of distributed security testing.
V-27506 Medium The network element must detect unauthorized changes to software and information.
V-27507 Medium The network element must be configured to identify and respond to potential security-relevant error conditions.
V-27478 Medium The network element must monitor inbound and outbound communications for unusual or unauthorized activities or conditions.
V-27501 Medium The network element must verify the correct operation of security functions in accordance with organization-defined conditions and in accordance with organization-defined frequency (if periodic verification).
V-27348 Medium The network element must use mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.
V-27503 Medium The network element must respond to security function anomalies in accordance with organization-defined responses and alternative actions.
V-26709 Medium The network element must provide automated support for account management functions.
V-27347 Medium The network element must obscure feedback of authentication information during the authentication process to protect the information from possible use by unauthorized individuals.
V-27344 Medium The network element must validate certificates used for PKI-based authentication by constructing a certification path with status information to an accepted trust anchor.
V-27477 Medium The organization must install software updates automatically.
V-27470 Medium The network element must employ FIPS-validated cryptography to protect information when such information must be separated from individuals who have the necessary clearances yet lack the necessary access approvals.
V-27509 Medium The network element must activate an organization-defined alarm when a system component failure is detected.
V-27472 Medium The network element must protect the integrity and availability of publicly available information and applications.
V-27473 Medium The network element must associate security attributes with information exchanged between network elements.
V-26740 Medium The network element must enforce information flow control using explicit security attributes on information, source, and destination objects as a basis for flow control decisions.
V-26990 Medium The network element must enforce requirements for remote connections to the network.
V-26988 Medium The network element must audit remote sessions for accessing an organization-defined list of security functions and security-relevant information.
V-27006 Medium The network element logging facility must be configured to reduce the likelihood of log record capacity being exceeded.
V-26796 Medium The network element must provide the capability for a privileged administrator to configure organization-defined security policy filters to support different security policies.
V-27492 Medium The network element must detect rogue wireless devices, attack attempts, and potential compromises or breaches to the wireless network.
V-26794 Medium The network element must implement separation of duties through assigned information system access authorizations.
V-26795 Medium The network element must audit the use of privileged accounts when accessing configuration and operational commands enabled for non-privileged accounts.
V-27138 Medium The network element must synchronize its internal clock on an organization-defined frequency with an organization-defined authoritative time source.
V-26743 Medium The network element must identify information flows by data type specification and usage when transferring information between different security domains.
V-27365 Medium The organization must prohibit remote activation of collaborative computing devices excluding the organization-defined exceptions where remote activation is allowed.
V-27264 Medium The network element must enforce access restrictions associated with changes to the information system.
V-27366 Medium The organization must ensure the development of mobile code being deployed in information systems meeting organization-defined mobile code requirements.
V-26798 Medium The network element must enforce the organization-defined limit of consecutive invalid access attempts by a user during the organization-defined time period.
V-26799 Medium The network element must enforce the organization-defined time period during which the limit of consecutive invalid access attempts by a user is counted.
V-26758 Medium The network element must uniquely authenticate source domains for information transfer.
V-27233 Medium The information system must validate the binding of the information producer’s identity to the information.
V-26724 Medium The network element must enforce dual authorization based on organizational policies and procedures for organization-defined privileged commands.
V-27133 Medium The network element must use internal system clocks to generate time stamps for audit records.
V-27234 Medium The information system must maintain reviewer/releaser identity and credentials within the established chain of custody for all information reviewed or released.
V-27235 Medium The information system must validate the binding of the reviewer’s identity to the information at the transfer/release point prior to release/transfer from one security domain to another security domain.
V-27360 Medium The information system must fail securely in the event of an operational failure of a boundary protection device.
V-26813 Medium The network element must notify the user of the number of unsuccessful login attempts to the local device occurring during organization-defined time period.
V-26812 Medium The network element must notify the user of the number of successful login attempts to the local device occurring during an organization-defined time period.
V-26815 Medium The network element must limit the number of concurrent sessions for each account to an organization-defined number.
V-26814 Medium The network element must notify the user of organization-defined security-related changes to the user’s account occurring during the organization-defined time period.
V-26817 Medium The information system must initiate a session lock after the organization-defined time period of inactivity.
V-26722 Medium The network element must be configured to dynamically manage administrative privileges and associated command authorizations.
V-27449 Medium The network element must take corrective action when unauthorized mobile code is identified.
V-26710 Medium The network element must automatically terminate temporary accounts after an organization-defined time period for each type of account.
V-27339 Medium The network element must enforce the number of characters changed when passwords are changed.
V-26742 Medium The network element must provide the capability for a privileged administrator to configure the organization-defined security policy filters to support different security policies.
V-26718 Medium The network element must notify the appropriate individuals when account disabling actions are taken.
V-26818 Medium The information system must retain the session lock until the user reestablishes access using established identification and authentication procedures.
V-27333 Medium The network element must enforce minimum password length.
V-27332 Medium The network element must support organizational requirements to disable the user identifiers after an organization-defined time period of inactivity.
V-27443 Medium The network element must terminate the connection associated with a communications session at the end of the session or after an organization-defined time period of inactivity.
V-26720 Medium The network element must notify the appropriate individuals for account termination.
V-27445 Medium The network element must establish a trusted communications path between the user and organization-defined security functions within the information system.
V-26713 Medium The network element must automatically audit the creation of accounts.
V-27335 Medium The network element must enforce password complexity by the number of upper case characters used.
V-27334 Medium The network element must prohibit password reuse for the organization-defined number of generations.
V-26763 Medium The network element must implement security policies for all traffic flows by using security zones at various protection levels as a basis for flow control decisions.
V-26756 Medium The network element must enforce security policies regarding information on interconnected systems.
V-27498 Medium The information system must automatically update spam protection mechanisms (including signature definitions).
V-26757 Medium The network element must uniquely identify source domains for information transfer.
V-27129 Medium The network element must provide the capability to automatically process log records for events of interest based upon selectable criteria.
V-26802 Medium The network element must display an approved banner to the administrator and is retained on the screen until the administrator takes explicit actions to log on.
V-26803 Medium The network element must display must display an approved system use notification message or banner before granting access to the device.
V-26800 Medium The network element must automatically lock out an account after the maximum number of unsuccessful attempts is exceeded and remain locked until released by an administrator.
V-26801 Medium The network element must display an approved system use notification message or banner before granting access to the system.
V-27496 Medium The organization must update spam protection mechanisms (including signature definitions) when new releases are available in accordance with organizational configuration management policy and procedures.
V-27495 Medium The network element must recognize only system-generated session identifiers.
V-27126 Medium The network element must provide a report generation capability.
V-26808 Medium Upon successful logon the network element must display the date and time of the last logon of the user.
V-26809 Medium Upon successful logon the network element must display to the user the number of unsuccessful logon attempts since the last successful logon.
V-27009 Medium The network element must enforce configurable traffic volume thresholds representing logging capacity for network traffic to be logged.
V-27008 Medium The network element must provide a real-time alert when organization-defined audit failure events occur.
V-27454 Medium The network element must invalidate session identifiers upon user logout or other session termination.
V-27389 Medium The network element must preserve organization-defined system state information in the event of a system failure.
V-27452 Medium The information system must provide a readily observable logout capability whenever authentication is used to gain access to web pages.
V-27450 Medium The network element must provide mechanisms to protect the authenticity of communications sessions.
V-27451 Medium The network elements that collectively provide name/address resolution service for an organization must implement internal/external role separation.
V-27001 Medium The network element must produce audit records that contain sufficient information to establish the identity of any user or subject associated with the event.
V-27000 Medium The network element must produce log records containing sufficient information to determine if the event was a success or failure.
V-27003 Medium The network element must produce log records that contain detailed information for events identified by type, location, and subject.
V-27002 Medium The network element must produce log records containing sufficient information to establish the sources of the events.
V-27005 Medium The network element must be configured to allocate audit record storage capacity.
V-27004 Medium The network element must support the requirement to centrally manage the content of audit records generated by network infrastructure components.
V-27007 Medium The network element must provide a warning when the logging storage capacity reaches an organization-defined percentage of maximum capacity.
V-27459 Medium The organization must employ organization-defined information system components with no writeable storage persistent across component restart or power on/off.
V-27083 Medium The network element must be configured to send an alert to designated personnel in the event of an audit processing failure.
V-26759 Medium The network element must uniquely identify and validate destination domains for information transfer.
V-30480 Medium The network element must enforce a Discretionary Access Control (DAC) policy that includes or excludes access to the granularity of a single user.
V-30371 Medium The information system must initiate a session lock after the organization-defined time period of inactivity.
V-27320 Medium The network element must authenticate devices before establishing wireless network connections using bidirectional authentication between cryptographically based devices.
V-26762 Medium The information system must track problems associated with the security attribute binding.
V-26761 Medium The information system must bind security attributes to information to facilitate information flow policy enforcement.
V-26760 Medium The network element must uniquely authenticate destination domains for information transfer.
V-27446 Medium The network element must produce, control, and distribute symmetric cryptographic keys using NIST-approved or NSA-approved key management technology and processes.
V-26766 Medium The network element must terminate all tunnels prior to passing through the perimeter security zone.
V-26765 Medium All encrypted traffic must be decrypted prior to passing through content inspection and filtering mechanisms.
V-26764 Medium The network must enforce dynamic traffic flow control based on policy allowing or disallowing flows based upon traffic types and rates within or out of profile.
V-27502 Medium The information system must reveal error messages only to authorized personnel.
V-26995 Medium The network element must be configured to disable functionality that provides the capability for automatic execution of code on mobile devices without user direction.
V-27383 Medium The network element must update malicious code protection mechanisms and signature definitions whenever new releases are available in accordance with organizational configuration management policy and procedures.
V-26992 Medium The network element must protect wireless access to the network using encryption.
V-26816 Medium The information system session lock mechanism, when activated on a device with a display screen, must place a publicly viewable pattern onto the associated display, hiding what was previously visible on the screen.
V-27377 Medium The information system must provide additional data origin and integrity artifacts along with the authoritative data the system returns in response to name/address resolution queries.
V-27273 Medium The network element must enforce a two-person rule for changes to organization-defined information system components and system-level information.
V-26877 Medium The network element must dynamically reconfigure security attributes in accordance with an identified security policy as information is created and combined.
V-27398 Medium The network element must limit and reserve bandwidth based on priority of the traffic type.
V-27010 Medium The network element must reject or delay network traffic generated above configurable traffic volume thresholds as defined by the organization.
V-27448 Medium The network element that collectively provides name/address resolution service for an organization must be fault-tolerant.
V-27395 Medium The network element must restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks.
V-27394 Medium The network element must include components to proactively seek to identify web-based malicious code.
V-27397 Medium The network element must protect the confidentiality and integrity of system information at rest.
V-27396 Medium The network element must manage excess bandwidth to limit the effects of packet flooding types of Denial of Service (DoS) attacks.
V-27391 Medium The network element must prevent unauthorized and unintended information transfer via shared system resources.
V-27390 Medium The network element must implement security functions as a layered structure minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers.
V-27393 Medium The network element must protect against or limits the effects of Denial of Service (DoS) attacks.
V-27392 Medium The network element must employ malicious code protection mechanisms to perform periodic scans of the information system on an organization-defined frequency.
V-27315 Medium The network element must enforce multifactor authentication for network access to non-privileged accounts where one of the factors is provided by a device separate from the network element being accessed.
V-27422 Medium The network element must only update malicious code protection mechanisms when directed by a privileged user.
V-27421 Medium The network element must route organization-defined internal communications traffic to organization-defined external networks through authenticated proxy servers within the managed interfaces of boundary protection devices.
V-27316 Medium The network element must use organization-defined replay-resistant authentication mechanisms for network access to privileged accounts.
V-27311 Medium The network element must use multifactor authentication for local access to privileged accounts.
V-27310 Medium The network element must use multifactor authentication for network access to non-privileged accounts.
V-27425 Medium The network element must deny network traffic and audits internal addresses posing a threat to external information systems.
V-27424 Medium The network element must employ malicious code protection mechanisms to detect and eradicate malicious code at the network perimeter.
V-27373 Medium The network element must employ malicious code protection mechanisms at workstations, servers, or mobile computing devices on the network to detect and eradicate malicious code transported by electronic mail, electronic mail attachments, web accesses, removable media, or other common means.
V-27428 Medium The network element must connect to external networks only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.
V-27319 Medium The network element must authenticate devices before establishing remote network connections using bidirectional authentication between cryptographically based devices.
V-27318 Medium The network element must authenticate an organization-defined list of specific devices by device type before establishing a connection.
V-27480 Medium The network element must prevent non-privileged users from circumventing intrusion detection and prevention capabilities.
V-27255 Medium The network element must compile log data from multiple components into a network-wide audit trail that is time-correlated to within organization-defined level of tolerance.
V-27484 Medium The network element must generate a unique session identifier for each session.
V-27257 Medium The network element must produce a system-wide audit trail composed of log records in a standardized format.
V-27371 Medium The network element must prevent the automatic execution of mobile code in organization-defined software applications and requires organization-defined actions prior to executing the code.
V-27098 Medium The network element must integrate audit review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities.
V-27303 Medium The network element must employ automated mechanisms to detect the addition of unauthorized components or devices. The monitoring may be accomplished on an ongoing basis or by the periodic scanning. Automated mechanisms can be implemented within the network element or in a separate system.
V-27466 Medium The information system at organization-defined information system components must load and execute organization-defined applications from hardware-enforced, read-only media.
V-27351 Medium The network element must employ automated mechanisms to assist in the tracking of security incidents.
V-26719 Medium The network element must automatically audit account termination.
V-27258 Medium The network element must generate log records for organization-defined events determined to be significant and relevant to the security of the network infrastructure.
V-27259 Medium The network element must allow administrators to select which events are to be logged by specific components of the system.
V-27091 Medium The network element must be configured to stop generating log records or overwrite the oldest log records when an audit failure occurs.
V-27342 Medium The network element must enforce minimum password lifetime restrictions.
V-27301 Medium The network element must be configured to prohibit or restrict the use of organization-defined functions, ports, protocols, and services.
V-30598 Medium The network element must protect against unauthorized physical connections across the boundary protections implemented at organization-defined list of managed interfaces.
V-26717 Medium The network element must automatically audit account disabling actions.
V-26741 Medium The network element must enforce the highest privilege level administrative access to enable or disable security policy filters.
V-26714 Medium The network element must notify the appropriate individuals when accounts are created.
V-27307 Medium The network element must support organizational requirements to conduct backups of information system documentation including security-related documentation per organization-defined frequency that is consistent with recovery time and recovery point objectives.
V-26715 Medium The network element must automatically audit account modification.
V-27304 Medium The information system must implement transaction recovery for systems that are transaction-based.
V-26746 Medium The network element must detect unsanctioned information when transferring information between different security domains.
V-27291 Medium The network element must employ automated mechanisms to centrally manage configuration settings.
V-26712 Medium The network element must automatically disable inactive accounts after an organization-defined time period of inactivity.
V-27380 Medium The network element must prevent the exposure of network management traffic onto a user or production network.
V-27381 Medium The network element must isolate security functions from non-security functions.
V-27386 Medium The network element must provide the means to indicate the security status of child subspaces and (if the child supports secure resolution services) enable verification of a chain of trust among parent and child domains when operating as part of a distributed, hierarchical namespace.
V-27387 Medium The network element must implement isolation boundary to minimize the number of non-security functions included within the boundary containing security functions.
V-27384 Medium The network element must isolate security functions enforcing access and information flow control from both non-security functions and from other security functions.
V-27385 Medium The network element must fail to an organization-defined known-state for organization-defined types of failures.
V-27302 Medium The network element must employ automated mechanisms to prevent program execution in accordance with organization defined specifications.
V-26824 Medium The network element must support and maintain the binding of organization-defined security attributes to information in storage.
V-26747 Medium The network element must prohibit the transfer of unsanctioned information in accordance with the security policy when transferring information between different security domains.
V-27433 Medium The network element must employ cryptographic mechanisms to recognize changes to information during transmission unless otherwise protected by alternative physical measures.
V-27306 Medium The network element must support organizational requirements to conduct backups of system-level information contained in the information system per organization-defined frequency.
V-27435 Medium The network element must implement detection and inspection mechanisms to identify unauthorized mobile code.
V-27436 Medium The network element must maintain the integrity of information during aggregation and encapsulation in preparation for transmission.
V-27437 Medium The network element must protect the confidentiality of transmitted information.
V-27438 Medium The network element must employ cryptographic mechanisms to prevent unauthorized disclosure of information during transmission unless otherwise protected by alternative physical measures.
V-27399 Medium The network element must check inbound traffic to ensure that the communications are coming from an authorized source and routed to an authorized destination.
V-27308 Medium The network element must enforce the identification and authentication of all organizational users.
V-26711 Medium The network element must automatically terminate emergency accounts after an organization-defined time period.
V-30429 Medium The network element must employ FIPS-validated or NSA-approved cryptography to implement digital signatures.
V-30048 Medium The network element must disable network access by unauthorized devices and logs the information as a security violation.
V-26987 Medium The network element must monitor for unauthorized remote connections to specific information systems on an organization-defined frequency.
V-26986 Medium The network element must route all remote access traffic through managed access control points.
V-26985 Medium The network element must be configured to use cryptography to protect the integrity of remote access sessions.
V-27309 Medium The network element must use multifactor authentication for network access to privileged accounts.
V-26826 Medium The network element must support and maintain the binding of organization-defined security attributes to information in process.
V-26982 Medium The network element must display security attributes in human-readable form on each object output from the system to system output devices to identify an organization-identified set of special dissemination, handling, or distribution instructions using organization-identified human readable, standard naming conventions.
V-27267 Medium The network element must be configured to enable automated mechanisms to support auditing of the enforcement actions.
V-27431 Medium The network element must issue public key certificates under an appropriate certificate policy or obtain public key certificates under an appropriate certificate policy from an approved service provider.
V-27269 Medium The network element must prevent the installation of organization-defined critical software programs not signed with a certificate that is recognized and approved by the organization.
V-26716 Medium The network element must notify the appropriate individuals when accounts are modified.
V-26989 Medium The network element must disable use of organization-defined networking protocols within the device configuration deemed to be nonsecure except for explicitly identified components in support of specific operational requirements.
V-26784 Medium The network element must enforce information flow control using organization-defined security policy filters as a basis for flow control decisions.
V-27208 Medium The network element must produce audit records on hardware-enforced write-once media.
V-27336 Medium The network element must enforce password complexity by the number of lower case characters used.
V-27331 Medium The network element must dynamically manage identifiers, attributes, and associated access authorizations to enable user access to the network with the appropriate and authorized privileges.
V-27427 Medium The network element must monitor and control traffic at both the external and internal boundary interfaces.
V-27462 Medium The network element must produce, control, and distribute symmetric and asymmetric cryptographic keys using NSA-approved key management technology and processes.
V-27261 Medium The information system must initiate session audits at system start-up.
V-27430 Medium The network element must perform data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources when requested by client systems.
V-26745 Medium The network element must implement policy filters that constrain data structure and content to organization-defined information security policy requirements when transferring information between different security domains.
V-27260 Medium The network element must generate audit records for organization-defined list of auditable events.
V-26854 Medium The network element must support and maintain the binding of organization-defined security attributes to information in transmission.
V-27263 Medium The information system must provide the capability to remotely view/hear all content related to an established user session in real time.
V-26984 Medium The network element must use approved cryptography to protect the confidentiality of remote access sessions.
V-27409 Medium The network element must protect the integrity of information during the processes of data aggregation, packaging, and transformation in preparation for transmission.
V-27408 Medium The network element must be configured to perform organization-defined actions in response to malicious code detection.
V-27330 Medium The network element must authenticate devices before establishing network connections using bidirectional authentication between cryptographically based devices.
V-27405 Medium The network element must isolate organization-defined key information security tools, mechanisms, and support components from other internal information system components via physically separate subnets.
V-26983 Medium The network element must employ automated mechanisms to facilitate the monitoring and control of remote access methods.
V-27407 Medium The network element must receive all management traffic through a dedicated management interface for purposes of access control and auditing.
V-27406 Medium The network element must be configured to perform real-time scans of files from external sources as they are downloaded and prior to being opened or executed.
V-27401 Medium The network element must employ cryptographic mechanisms to prevent unauthorized disclosure of information at rest unless otherwise protected by alternative physical measures.
V-27400 Medium The network element must provide the means to indicate the security status of child subspaces and (if the child supports secure resolution services) enable verification of a chain of trust among parent and child domains when operating as part of a distributed, hierarchical namespace.
V-27403 Medium The network element must implement host-based boundary protection mechanisms.
V-27479 Medium The network element must provide near real-time alerts when any of the organization-defined list of compromise or potential compromise indicators occur.
V-27485 Medium The network element must ensure all encrypted traffic is visible to network monitoring tools.
V-27376 Medium The network element must employ cryptographic mechanisms to protect information in storage.
V-27375 Medium The network element must use cryptographic mechanisms to protect and restrict access to information on portable digital media.
V-27374 Medium The network element must terminate all sessions when non-local maintenance is completed.
V-27481 Medium The network element must notify an organization-defined list of incident response personnel of suspicious events.
V-30479 Medium The network element must enforce a Discretionary Access Control (DAC) policy that Limits propagation of access rights.
V-27483 Medium The network element must protect information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion.
V-27314 Medium The network element must enforce multifactor authentication for network access to privileged accounts where one of the factors is provided by a device separate from the network element being accessed.
V-30474 Medium The organization must ensure the use of mobile code to be deployed in information systems meets organization-defined mobile code requirements.
V-30476 Medium The organization must ensure the acquisition of mobile code to be deployed in information systems meets organization-defined mobile code requirements.
V-27349 Medium The network element must uniquely identify and authenticate non-organizational users or processes acting on behalf of non-organizational users.
V-26998 Medium The network element must produce log records containing sufficient information to establish when the events occurred.
V-27488 Medium The network element must analyze outbound communications traffic at selected interior points within the network as deemed necessary to discover anomalies.
V-27379 Medium The network element must separate user traffic from network management traffic.
V-27378 Medium The network element must employ automated mechanisms to detect the presence of unauthorized software on organizational information systems and notify designated organizational officials in accordance with the organization-defined frequency.
V-27346 Medium The network element must map the authenticated identity to the user account for PKI-based authentication.
V-27441 Medium The network element must perform data origin authentication and data integrity verification on all resolution responses received whether or not local client systems explicitly request this service.
V-27420 Medium The network element must be configured to implement automated patch management tools to facilitate flaw remediation to network components.
V-27337 Medium The network element must enforce password complexity by the number of numeric characters used.
V-27475 Medium The network element must validate the integrity of security attributes exchanged between network elements.
V-27487 Medium The network element must analyze outbound traffic at the external boundary of the network.
V-26999 Medium The network element must produce log records containing sufficient information to establish where the events occurred.
V-27440 Medium The network element must maintain the confidentiality of information during aggregation and encapsulation in preparation for transmission.
V-27476 Medium The network element must interconnect and configure individual intrusion detection tools into a system-wide intrusion detection system using common protocols.
V-27432 Medium The network element must protect the integrity of transmitted information.
V-27426 Medium The network element must not allow users to introduce removable media into the information system.