{
"stig": {
"date": "2021-04-16",
"description": "This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.",
"findings": {
"V-243153": {
"checkid": "C-46428r719912_chk",
"checktext": "Review the network device configuration to determine if the network device is configured with a password of at least 15 characters.\n\nIf the network device password is not at least 15 characters in length, this is a finding.",
"description": "Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password.\n\nThe shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.",
"fixid": "F-46385r719913_fix",
"fixtext": "Configure the network device so it will require a password to gain administrative access to the device. Configure the password length to at least 15 characters.",
"iacontrols": null,
"id": "V-243153",
"ruleID": "SV-243153r719914_rule",
"severity": "medium",
"title": "The network device must enforce a minimum 15-character password length.",
"version": "WLAN-ND-000200"
},
"V-243154": {
"checkid": "C-46429r719915_chk",
"checktext": "Review the network device configuration to determine if the vendor default password is active.\n\nIf any vendor default passwords are used on the device, this is a finding.",
"description": "Network devices not protected with strong password schemes provide the opportunity for anyone to crack the password and gain access to the device, which can result in loss of availability, confidentiality, or integrity of network traffic. \n\nMany default vendor passwords are well known or easily guessed; therefore, not removing them prior to deploying the network device into production provides an opportunity for a malicious user to gain unauthorized access to the device.",
"fixid": "F-46386r719916_fix",
"fixtext": "Remove any vendor default passwords from the network device configuration.",
"iacontrols": null,
"id": "V-243154",
"ruleID": "SV-243154r719917_rule",
"severity": "medium",
"title": "The network device must not have any default manufacturer passwords when deployed.",
"version": "WLAN-ND-000300"
},
"V-243155": {
"checkid": "C-46430r719918_chk",
"checktext": "Review the device configuration or request that the administrator log on to the device and observe the terminal. \n\nVerify either Option A or Option B (for systems with character limitations) of the Standard Mandatory DoD Notice and Consent Banner is displayed at logon. The required banner verbiage follows and must be displayed verbatim:\n\nOption A\n\nYou are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. \n\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\n\nOption B\n\nIf the system is incapable of displaying the required banner verbiage due to its size, a smaller banner must be used. The mandatory verbiage follows: \"I've read & consent to terms in IS user agreem't.\"\n\nIf the device configuration does not have a logon banner as stated above, this is a finding.",
"description": "All network devices must present a DoD-approved warning banner prior to a system administrator logging on. The banner should warn any unauthorized user not to proceed. It also should provide clear and unequivocal notice to both authorized and unauthorized personnel that access to the device is subject to monitoring to detect unauthorized usage. Failure to display the required logon warning banner prior to logon attempts limits DoD's ability to prosecute unauthorized access and also presents the potential for criminal and civil liability for systems administrators and information systems managers. In addition, DISA's ability to monitor the device's usage is limited unless a proper warning banner is displayed.\n\nDoD CIO has issued new, mandatory policy standardizing the wording of \"notice and consent\" banners and matching user agreements for all Secret and below DoD information systems, including stand-alone systems by releasing DoD CIO Memo, \"Policy on Use of Department of Defense (DoD) Information Systems Standard Consent Banner and User Agreement\", dated 9 May 2008. The banner is mandatory and deviations are not permitted except as authorized in writing by the Deputy Assistant Secretary of Defense for Information and Identity Assurance. Implementation of this banner verbiage is further directed to all DoD components for all DoD assets via USCYBERCOM CTO 08-008A.",
"fixid": "F-46387r719919_fix",
"fixtext": "Configure all management interfaces to the network device to display the DoD-mandated warning banner verbiage at logon regardless of the means of connection or communication. The required banner verbiage that must be displayed verbatim as follows:\n\nOption A\n\nYou are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\n\nOption B\n\nIf the system is incapable of displaying the required banner verbiage due to its size, a smaller banner must be used. The mandatory verbiage follows: \"I've read & consent to terms in IS user agreem't.\"",
"iacontrols": null,
"id": "V-243155",
"ruleID": "SV-243155r719920_rule",
"severity": "medium",
"title": "The network device must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the device.",
"version": "WLAN-ND-000400"
},
"V-243156": {
"checkid": "C-46431r719921_chk",
"checktext": "Review the management connection for administrative access and verify the network device is configured to time-out the connection at 10 minutes or less of inactivity.\n\nIf the device does not terminate inactive management connections at 10 minutes or less, this is a finding.",
"description": "Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. Quickly terminating an idle session will also free up resources committed by the managed network element. \n\nTerminating network connections associated with communications sessions includes, for example, deallocating associated TCP/IP address/port pairs at the operating system level or deallocating networking assignments at the application level if multiple application sessions are using a single, operating system-level network connection. This does not mean that the device terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session.",
"fixid": "F-46388r719922_fix",
"fixtext": "Configure the network devices to ensure the timeout for unattended administrative access connections is no longer than 10 minutes.",
"iacontrols": null,
"id": "V-243156",
"ruleID": "SV-243156r719923_rule",
"severity": "high",
"title": "The network device must terminate all network connections associated with a device management session at the end of the session, or the session must be terminated after 10 minutes of inactivity except to fulfill documented and validated mission requirements.",
"version": "WLAN-ND-000500"
},
"V-243157": {
"checkid": "C-46432r719924_chk",
"checktext": "Review the network device configuration and validate that users are authenticated before they are assigned privileges based on the role or group the account is assigned to.\n\nIf a user can gain access to network device privileges before they are authenticated, this is a finding.",
"description": "To ensure individual accountability and prevent unauthorized access, administrators must be individually identified and authenticated.\n\nIndividual accountability mandates that each administrator is uniquely identified. A group authenticator is a shared account or some other form of authentication that allows multiple unique individuals to access the network device using a single account. \n\nIf a device allows or provides for group authenticators, it must individually authenticate administrators prior to implementing group authenticator functionality. \n\nSome devices may not have the need to provide a group authenticator; this is considered a matter of device design. Where the device design includes the use of a group authenticator, this requirement will apply. This requirement applies to accounts created and managed on or by the network device.",
"fixid": "F-46389r719925_fix",
"fixtext": "Configure the network device to authenticate users before assigning privileges to each individual user account based on the role or group the account is assigned to.",
"iacontrols": null,
"id": "V-243157",
"ruleID": "SV-243157r719926_rule",
"severity": "medium",
"title": "The network device must be configured to authenticate each administrator prior to authorizing privileges based on assignment of group or role.",
"version": "WLAN-ND-000600"
},
"V-243158": {
"checkid": "C-46433r719927_chk",
"checktext": "Review the accounts authorized for access to the network device. Determine if the accounts are assigned the lowest privilege level necessary to perform assigned duties. User accounts must be set to a specific privilege level, which can be mapped to specific commands or a group of commands. Authorized accounts should have the least privilege level unless deemed necessary for assigned duties.\n\nIf authorized accounts are assigned to greater privileges than necessary, this is a finding.",
"description": "To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. \n\nSuccessful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Network devices use access control policies and enforcement mechanisms to implement this requirement. \n\nAccess control policies include identity-based policies, role-based policies, and attribute-based policies. Access enforcement mechanisms include access control lists, access control matrices, and cryptography. These policies and mechanisms must be employed by the network device to control access between administrators (or processes acting on behalf of administrators) and objects (e.g., device commands, files, records, processes) in the network device.",
"fixid": "F-46390r719928_fix",
"fixtext": "Configure authorized accounts with the least privilege rule. Each user will have access to only the privileges they require to perform their assigned duties.",
"iacontrols": null,
"id": "V-243158",
"ruleID": "SV-243158r719929_rule",
"severity": "high",
"title": "The network device must enforce the assigned privilege level for each administrator and authorizations for access to all commands relative to the privilege level in accordance with applicable policy for the device.",
"version": "WLAN-ND-000700"
},
"V-243159": {
"checkid": "C-46434r719930_chk",
"checktext": "Review the network device configuration to verify only secure protocols using FIPS 140-2 validated cryptographic modules are used for any administrative access. Some of the secure protocols used for administrative and management access are listed below. This list is not all inclusive and represents a sample selection of secure protocols. \n\n- SSHv2\n- SCP\n- HTTPS using TLS\n\nIf management connections are established using protocols without FIPS 140-2 validated cryptographic modules, this is a finding.",
"description": "This requires the use of secure protocols instead of their unsecured counterparts, such as SSH instead of telnet, SCP instead of FTP, and HTTPS instead of HTTP. If unsecured protocols (lacking cryptographic mechanisms) are used for sessions, the contents of those sessions will be susceptible to eavesdropping, potentially putting sensitive data (including administrator passwords) at risk of compromise and potentially allowing hijacking of maintenance sessions.",
"fixid": "F-46391r719931_fix",
"fixtext": "Configure the network device to use secure protocols with FIPS 140-2 validated cryptographic modules.",
"iacontrols": null,
"id": "V-243159",
"ruleID": "SV-243159r719932_rule",
"severity": "high",
"title": "The network device must be configured to implement cryptographic mechanisms using a FIPS 140-2 approved algorithm to protect the confidentiality of remote maintenance sessions.",
"version": "WLAN-ND-000800"
},
"V-243160": {
"checkid": "C-46435r719933_chk",
"checktext": "Review the configuration to verify all attempts to access the device via management connection are logged.\n\nIf management connection attempts are not logged, this is a finding.",
"description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the network device (e.g., module or policy filter).",
"fixid": "F-46392r719934_fix",
"fixtext": "Configure the device to log all access attempts to the device to establish a management connection for administrative access.",
"iacontrols": null,
"id": "V-243160",
"ruleID": "SV-243160r719935_rule",
"severity": "medium",
"title": "The network device must generate audit records when successful/unsuccessful logon attempts occur.",
"version": "WLAN-ND-000900"
},
"V-243161": {
"checkid": "C-46436r719936_chk",
"checktext": "Have the administrator display the operating system version in operation. The operating system must be current, with related IAVMs addressed.\n\nIf the device is using an OS that does not meet all IAVMs or is not currently supported by the vendor, this is a finding.",
"description": "Network devices running an unsupported operating system lack current security fixes required to mitigate the risks associated with recent vulnerabilities.",
"fixid": "F-46393r719937_fix",
"fixtext": "Update the operating system to a supported version that addresses all related IAVMs.",
"iacontrols": null,
"id": "V-243161",
"ruleID": "SV-243161r719938_rule",
"severity": "high",
"title": "The network device must be running an operating system release that is currently supported by the vendor.",
"version": "WLAN-ND-001000"
},
"V-243162": {
"checkid": "C-46437r719939_chk",
"checktext": "Review the network device configuration to verify all management connections use an authentication server for administrative access.\n\nIf the network device is not configured to use an authentication server for management access, this is a finding.",
"description": "Centralized management of authentication settings increases the security of remote and nonlocal access methods. This is particularly important protection against the insider threat. With robust centralized management, audit records for administrator account access to the organization's network devices can be more readily analyzed for trends and anomalies. The alternative method of defining administrator accounts on each device exposes the device configuration to remote access authentication attacks and system administrators with multiple authenticators for each network device.",
"fixid": "F-46394r719940_fix",
"fixtext": "Configure authentication for all management connections using an authentication server.",
"iacontrols": null,
"id": "V-243162",
"ruleID": "SV-243162r719941_rule",
"severity": "high",
"title": "The network device must be configured to use an authentication server to authenticate users prior to granting administrative access.",
"version": "WLAN-ND-001100"
},
"V-243163": {
"checkid": "C-46438r719942_chk",
"checktext": "Review the device configuration to verify it is configured to use SNMPv3 with both SHA authentication and privacy using AES encryption.\n\nDowngrades:\nIf the site is using Version 1 or Version 2 with all of the appropriate patches and has developed a migration plan to implement the Version 3 Security Model, this finding can be downgraded to a CAT II.\n\nIf the site is using Version 1 or Version 2 and has installed all of the appropriate patches or upgrades to mitigate any known security vulnerabilities, this finding can be downgraded to a CAT II. In addition, if the device does not support SNMPv3, this finding can be downgraded to a CAT II provided all of the appropriate patches to mitigate any known security vulnerabilities have been applied and a migration plan has been developed that includes the device upgrade to support Version 3 and the implementation of the Version 3 Security Model.\n\nIf the device is configured to use to anything other than SNMPv3 with at least SHA-1 and AES, this is a finding. \n\nDowngrades can be determined based on the criteria above.",
"description": "Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Bidirectional authentication provides stronger safeguards to validate the identity of other devices for connections that are of greater risk.\n\nA local connection is any connection with a device communicating without the use of a network. A network connection is any connection with a device that communicates through a network (e.g., local area or wide area network, internet). A remote connection is any connection with a device communicating through an external network (e.g., the internet).\n\nBecause of the challenges of applying this requirement on a large scale, organizations are encouraged to only apply the requirement to those limited number (and types) of devices that truly need to support this capability.",
"fixid": "F-46395r719943_fix",
"fixtext": "If SNMP is enabled, configure the network device to use SNMP Version 3 Security Model with FIPS 140-2 validated cryptography (i.e., SHA authentication and AES encryption).",
"iacontrols": null,
"id": "V-243163",
"ruleID": "SV-243163r719944_rule",
"severity": "medium",
"title": "The network device must be configured to authenticate SNMP messages using a FIPS-validated Keyed-Hash Message Authentication Code (HMAC).",
"version": "WLAN-ND-001200"
},
"V-243164": {
"checkid": "C-46439r719945_chk",
"checktext": "Review the network device configuration to determine if an authentication server is defined for gaining administrative access. If so, there must be only one account of last resort configured locally for an emergency.\n\nVerify the username and password for the local account of last resort is contained in a sealed envelope kept in a safe.\n\nIf an authentication server is used and more than one local account exists, this is a finding.",
"description": "Authentication for administrative (privileged level) access to the device is required at all times. An account can be created on the device's local database for use when the authentication server is down or connectivity between the device and the authentication server is not operable. This account is referred to as the account of last resort since it is intended to be used as a last resort and when immediate administrative access is absolutely necessary.\n\nThe account of last resort logon credentials must be stored in a sealed envelope and kept in a safe. The safe must be periodically audited to verify the envelope remains sealed. The signature of the auditor and the date of the audit should be added to the envelope as a record. Administrators should secure the credentials and disable the root account (if possible) when not needed for system administration functions.",
"fixid": "F-46396r719946_fix",
"fixtext": "Configure the device to allow only one local account of last resort for emergency access and store the credentials in a secure manner.",
"iacontrols": null,
"id": "V-243164",
"ruleID": "SV-243164r719947_rule",
"severity": "medium",
"title": "The network device must be configured with only one local account to be used as the account of last resort in the event the authentication server is unavailable.",
"version": "WLAN-ND-001300"
},
"V-243165": {
"checkid": "C-46440r719948_chk",
"checktext": "Review the configuration and verify the number of unsuccessful SSH logon attempts is set at \"3\", after which time it must block any login attempt for 15 minutes.\n\nIf the device is not configured to reset unsuccessful SSH logon attempts at \"3\" and then block any login attempt for 15 minutes, this is a finding.",
"description": "By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced.",
"fixid": "F-46397r719949_fix",
"fixtext": "Configure the network device to require a maximum number of unsuccessful SSH logon attempts at \"3\", after which time it must block any login attempt for 15 minutes.",
"iacontrols": null,
"id": "V-243165",
"ruleID": "SV-243165r719950_rule",
"severity": "medium",
"title": "The network device must be configured to enforce the limit of three consecutive invalid logon attempts, after which time it must block any login attempt for 15 minutes.",
"version": "WLAN-ND-001400"
},
"V-243166": {
"checkid": "C-46441r719951_chk",
"checktext": "Review the configuration of the network device. Verify all unnecessary and/or nonsecure functions, ports, protocols, and/or services are disabled.\n\nIf any unnecessary and/or nonsecure functions, ports, protocols, and/or services are not disabled, this is a finding.",
"description": "To prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable unused or unnecessary physical and logical ports/protocols on information systems.\n\nNetwork devices are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., email and web services); however, doing so increases risk over limiting the services provided by any one component. \n\nTo support the requirements and principles of least functionality, the network device must support the organizational requirements, providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved. Some network devices have capabilities enabled by default; if these capabilities are not necessary, they must be disabled. If a particular capability is used, it must be documented and approved.",
"fixid": "F-46398r719952_fix",
"fixtext": "Configure the network device to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services.",
"iacontrols": null,
"id": "V-243166",
"ruleID": "SV-243166r719953_rule",
"severity": "high",
"title": "The network device must be configured to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services.",
"version": "WLAN-ND-001500"
},
"V-243167": {
"checkid": "C-46442r719954_chk",
"checktext": "Review the network device configuration to determine if the network device authenticates NTP endpoints before establishing a local, remote, or network connection using authentication that is cryptographically based.\n\nIf the network device does not authenticate Network Time Protocol sources using authentication that is cryptographically based, this is a finding.",
"description": "If Network Time Protocol is not authenticated, an attacker can introduce a rogue NTP server. This rogue server can then be used to send incorrect time information to network devices, which will make log timestamps inaccurate and affect scheduled actions. NTP authentication is used to prevent this tampering by authenticating the time source.",
"fixid": "F-46399r719955_fix",
"fixtext": "Configure the device to authenticate all received NTP messages using a FIPS-approved message authentication code algorithm.",
"iacontrols": null,
"id": "V-243167",
"ruleID": "SV-243167r719956_rule",
"severity": "medium",
"title": "The network device must authenticate Network Time Protocol (NTP) sources using authentication that is cryptographically based.",
"version": "WLAN-ND-001600"
},
"V-243168": {
"checkid": "C-46443r719957_chk",
"checktext": "Review the configuration and verify SSH Version 1 is not being used for administrative access.\n\nIf the device is using an SSHv1 session, this is a finding.",
"description": "A replay attack may enable an unauthorized user to gain access to the application. Authentication sessions between the authenticator and the application validating the user credentials must not be vulnerable to a replay attack.\n\nAn authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message. \n\nTechniques used to address this include protocols using nonces (e.g., numbers generated for a specific one-time use) or challenges (e.g., TLS, WS_Security). Additional techniques include time-synchronous or challenge-response one-time authenticators.",
"fixid": "F-46400r719958_fix",
"fixtext": "Configure the network device to use SSH Version 2.",
"iacontrols": null,
"id": "V-243168",
"ruleID": "SV-243168r719959_rule",
"severity": "medium",
"title": "The network device must implement replay-resistant authentication mechanisms for network access to privileged accounts.",
"version": "WLAN-ND-001700"
},
"V-243169": {
"checkid": "C-46444r719960_chk",
"checktext": "1. Verify the managed interface has an inbound and outbound ACL or filter.\n\n2. Verify the ingress ACL blocks all transit traffic (any traffic not destined to the router itself). In addition, traffic accessing the managed elements should be originated at the NOC.\n\n3. Verify the egress ACL blocks any traffic not originated by the managed element.\n\nIf the management interface does not have an ingress and egress filter configured and applied, this is a finding.",
"description": "Changes to the hardware or software components of the network device can have significant effects on the overall security of the network. Therefore, only qualified and authorized individuals should be allowed administrative access to the network device for implementing any changes or upgrades. This requirement applies to updates of the application files, configuration, ACLs, and policy filters.",
"fixid": "F-46401r719961_fix",
"fixtext": "If the management interface is a routed interface, configure it with both an ingress and egress ACL. The ingress ACL should block any transit traffic, while the egress ACL should block any traffic that was not originated by the managed network device.",
"iacontrols": null,
"id": "V-243169",
"ruleID": "SV-243169r719962_rule",
"severity": "medium",
"title": "The network device must be configured with both an ingress and egress ACL.",
"version": "WLAN-ND-001800"
},
"V-243170": {
"checkid": "C-46445r719963_chk",
"checktext": "Review the configuration and verify the network device synchronizes internal information system clocks using redundant authoritative time sources.\n\nIf the device is not configured to synchronize internal information system clocks using redundant authoritative time sources, this is a finding.",
"description": "The loss of connectivity to a particular authoritative time source will result in the loss of time synchronization (free-run mode) and increasingly inaccurate time stamps on audit events and other functions.\n\nMultiple time sources provide redundancy by including a secondary source. Time synchronization is usually a hierarchy; clients synchronize time to a local source while that source synchronizes its time to a more accurate source. The network device must use an authoritative time server and/or be configured to use redundant authoritative time sources. This requirement is related to the comparison done in CCI-001891.\n\nDoD-approved solutions consist of a combination of a primary and secondary time source using a combination or multiple instances of the following: a time server designated for the appropriate DoD network (NIPRNet/SIPRNet); United States Naval Observatory (USNO) time servers; and/or the Global Positioning System (GPS). The secondary time source must be located in a different geographic region than the primary time source.",
"fixid": "F-46402r719964_fix",
"fixtext": "Configure the device to synchronize internal information system clocks using redundant authoritative time sources.",
"iacontrols": null,
"id": "V-243170",
"ruleID": "SV-243170r719965_rule",
"severity": "medium",
"title": "The network device must be configured to synchronize internal information system clocks using redundant authoritative time sources.",
"version": "WLAN-ND-001900"
}
},
"profiles": {
"MAC-1_Classified": {
"description": "",
"findings": {
"V-243153": "true",
"V-243154": "true",
"V-243155": "true",
"V-243156": "true",
"V-243157": "true",
"V-243158": "true",
"V-243159": "true",
"V-243160": "true",
"V-243161": "true",
"V-243162": "true",
"V-243163": "true",
"V-243164": "true",
"V-243165": "true",
"V-243166": "true",
"V-243167": "true",
"V-243168": "true",
"V-243169": "true",
"V-243170": "true"
},
"id": "MAC-1_Classified",
"title": "I - Mission Critical Classified"
},
"MAC-1_Public": {
"description": "",
"findings": {
"V-243153": "true",
"V-243154": "true",
"V-243155": "true",
"V-243156": "true",
"V-243157": "true",
"V-243158": "true",
"V-243159": "true",
"V-243160": "true",
"V-243161": "true",
"V-243162": "true",
"V-243163": "true",
"V-243164": "true",
"V-243165": "true",
"V-243166": "true",
"V-243167": "true",
"V-243168": "true",
"V-243169": "true",
"V-243170": "true"
},
"id": "MAC-1_Public",
"title": "I - Mission Critical Public"
},
"MAC-1_Sensitive": {
"description": "",
"findings": {
"V-243153": "true",
"V-243154": "true",
"V-243155": "true",
"V-243156": "true",
"V-243157": "true",
"V-243158": "true",
"V-243159": "true",
"V-243160": "true",
"V-243161": "true",
"V-243162": "true",
"V-243163": "true",
"V-243164": "true",
"V-243165": "true",
"V-243166": "true",
"V-243167": "true",
"V-243168": "true",
"V-243169": "true",
"V-243170": "true"
},
"id": "MAC-1_Sensitive",
"title": "I - Mission Critical Sensitive"
},
"MAC-2_Classified": {
"description": "",
"findings": {
"V-243153": "true",
"V-243154": "true",
"V-243155": "true",
"V-243156": "true",
"V-243157": "true",
"V-243158": "true",
"V-243159": "true",
"V-243160": "true",
"V-243161": "true",
"V-243162": "true",
"V-243163": "true",
"V-243164": "true",
"V-243165": "true",
"V-243166": "true",
"V-243167": "true",
"V-243168": "true",
"V-243169": "true",
"V-243170": "true"
},
"id": "MAC-2_Classified",
"title": "II - Mission Support Classified"
},
"MAC-2_Public": {
"description": "",
"findings": {
"V-243153": "true",
"V-243154": "true",
"V-243155": "true",
"V-243156": "true",
"V-243157": "true",
"V-243158": "true",
"V-243159": "true",
"V-243160": "true",
"V-243161": "true",
"V-243162": "true",
"V-243163": "true",
"V-243164": "true",
"V-243165": "true",
"V-243166": "true",
"V-243167": "true",
"V-243168": "true",
"V-243169": "true",
"V-243170": "true"
},
"id": "MAC-2_Public",
"title": "II - Mission Support Public"
},
"MAC-2_Sensitive": {
"description": "",
"findings": {
"V-243153": "true",
"V-243154": "true",
"V-243155": "true",
"V-243156": "true",
"V-243157": "true",
"V-243158": "true",
"V-243159": "true",
"V-243160": "true",
"V-243161": "true",
"V-243162": "true",
"V-243163": "true",
"V-243164": "true",
"V-243165": "true",
"V-243166": "true",
"V-243167": "true",
"V-243168": "true",
"V-243169": "true",
"V-243170": "true"
},
"id": "MAC-2_Sensitive",
"title": "II - Mission Support Sensitive"
},
"MAC-3_Classified": {
"description": "",
"findings": {
"V-243153": "true",
"V-243154": "true",
"V-243155": "true",
"V-243156": "true",
"V-243157": "true",
"V-243158": "true",
"V-243159": "true",
"V-243160": "true",
"V-243161": "true",
"V-243162": "true",
"V-243163": "true",
"V-243164": "true",
"V-243165": "true",
"V-243166": "true",
"V-243167": "true",
"V-243168": "true",
"V-243169": "true",
"V-243170": "true"
},
"id": "MAC-3_Classified",
"title": "III - Administrative Classified"
},
"MAC-3_Public": {
"description": "",
"findings": {
"V-243153": "true",
"V-243154": "true",
"V-243155": "true",
"V-243156": "true",
"V-243157": "true",
"V-243158": "true",
"V-243159": "true",
"V-243160": "true",
"V-243161": "true",
"V-243162": "true",
"V-243163": "true",
"V-243164": "true",
"V-243165": "true",
"V-243166": "true",
"V-243167": "true",
"V-243168": "true",
"V-243169": "true",
"V-243170": "true"
},
"id": "MAC-3_Public",
"title": "III - Administrative Public"
},
"MAC-3_Sensitive": {
"description": "",
"findings": {
"V-243153": "true",
"V-243154": "true",
"V-243155": "true",
"V-243156": "true",
"V-243157": "true",
"V-243158": "true",
"V-243159": "true",
"V-243160": "true",
"V-243161": "true",
"V-243162": "true",
"V-243163": "true",
"V-243164": "true",
"V-243165": "true",
"V-243166": "true",
"V-243167": "true",
"V-243168": "true",
"V-243169": "true",
"V-243170": "true"
},
"id": "MAC-3_Sensitive",
"title": "III - Administrative Sensitive"
}
},
"slug": "network_wlan_ap-nipr_management",
"title": "Network WLAN AP-NIPR Management Security Technical Implementation Guide",
"version": "7"
}
}