| V-28871 | Medium | The operating system must route organization-defined internal communications traffic to organization-defined external networks through authenticated proxy servers within the managed interfaces of boundary protection devices. | A proxy server is designed to hide the identity of the client when making a connection to a server on the outside of its network. This prevents any hackers on the outside of learning IP... |
| V-28870 | Medium | The operating system must prevent remote devices that have established a non-remote connection with the system from communicating outside of the communication path with resources in external networks. | This control enhancement is implemented within the remote device (e.g., notebook/laptop computer) via configuration settings not configurable by the user of the device. An example of a non-remote... |
| V-28872 | Medium | The operating system, at managed interfaces, must deny network traffic and must audit internal users (or malicious code) posing a threat to external information systems. | Detecting internal actions that may pose a security threat to external information systems is sometimes termed extrusion detection. Extrusion detection at the information system boundary includes... |
| V-29096 | Medium | The operating system must disable information system functionality that provides the capability for automatic execution of code on mobile devices without user direction. | Mobile devices include portable storage media (e.g., USB memory sticks, external hard disk drives) and portable computing and communications devices with information storage capability (e.g.,... |
| V-28979 | Medium | The operating system uniquely must identify destination domains for information transfer. | Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and... |
| V-28970 | Medium | The operating system must validate the integrity of security attributes exchanged between systems.
| When data is exchanged between information systems, the security attributes associated with the data needs to be maintained.
Security attributes are an abstraction representing the basic... |
| V-28971 | Medium | The operating system must issue or obtain public key certificates under an appropriate certificate policy from an approved service provider. | For user certificates, each organization attains certificates from an approved, shared service provider, as required by OMB policy.
For federal agencies operating a legacy public key... |
| V-28972 | Medium | The operating system must implement detection and inspection mechanisms to identify unauthorized mobile code.
| Decisions regarding the employment of mobile code within organizational information systems are based on the potential for the code to cause damage to the system if used maliciously.
Mobile code... |
| V-28973 | Medium | The operating system must ensure the development of mobile code to be deployed in information systems meets organization-defined mobile code requirements.
| This requirement is not applicable to operating systems as operating systems do not control the development of the code. |
| V-28974 | Medium | The operating system must limit privileges to change software resident within software libraries (including privileged programs). | When dealing with change control issues, it should be noted that any changes to the hardware, software, and/or firmware components of the operating system can potentially have significant effects... |
| V-28975 | Medium | The operating system must prevent the download of prohibited mobile code.
| Decisions regarding the employment of mobile code within operating systems are based on the potential for the code to cause damage to the system if used maliciously.
Mobile code technologies... |
| V-28976 | Medium | The operating system must automatically implement organization-defined safeguards and countermeasures if security functions (or mechanisms) are changed inappropriately. | Any changes to the hardware, software, and/or firmware components of the operating system can potentially have significant effects on the overall security of the system.
Accordingly, only... |
| V-29083 | Medium | The operating system must protect audit information from unauthorized deletion.
| If audit data were to become compromised then competent forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve.
To ensure the... |
| V-29082 | Medium | The operating system must initiate a session lock after the organization-defined time period of inactivity. | A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the system but does not log out because of the temporary nature... |
| V-29081 | Medium | The operating system must protect audit information from unauthorized modification.
| If audit data were to become compromised then competent forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve.
To ensure the... |
| V-29080 | Medium | The operating system must retain the session lock until the user reestablishes access using established identification and authentication procedures. | A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the system but does not want to log out because of the temporary nature of... |
| V-29087 | Medium | The operating system session lock mechanism, when activated on a device with a display screen, must place a publicly viewable pattern onto the associated display, hiding what was previously visible on the screen. | A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the system but does not log out because of the temporary nature... |
| V-29086 | Medium | The operating system must protect against an individual falsely denying having performed a particular action.
| Non-repudiation of actions taken is required in order to maintain integrity.
Non-repudiation protects individuals against later claims by an author of not having updated a particular file,... |
| V-29085 | Medium | The operating system must provide the capability for users to directly initiate session lock mechanisms. | A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the system but does not want to log out because of the temporary nature of... |
| V-29084 | Medium | The operating system must produce audit records on hardware-enforced, write-once media.
| The protection of audit records from unauthorized or accidental deletion or modification requires the operating system produce audit records on hardware-enforced write-once media.
|
| V-29089 | Medium | The operating system must employ automated mechanisms to facilitate the monitoring and control of remote access methods. | Remote network access is accomplished by leveraging common communication protocols and establishing a remote connection.
Remote access is any access to an organizational information system by... |
| V-29088 | Medium | The operating system must provide audit record generation capability for the auditable events defined in at the organizational level for the organization-defined information system components.
| The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of... |
| V-28989 | Medium | The operating system must enforce password complexity by the number of special characters used. | Password complexity, or strength, is a measure of the effectiveness of a password in resisting guessing and brute-force attacks.
Password complexity is one factor in determining how long it... |
| V-28769 | Medium | The operating system must provide automated support for account management functions. | A comprehensive account management process that includes automation helps to ensure the accounts designated as requiring attention are consistently and promptly addressed. Examples include, but... |
| V-28988 | Medium | The information system must perform data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources when requested by client systems.
| This is a resolution issue and is not applicable for operating systems. |
| V-29078 | Medium | The operating system must limit the number of concurrent sessions for each account to an organization-defined number of sessions. | Limiting the number of allowed users and sessions per user can limit risks related to Denial of Service attacks. The organization may define the maximum number of concurrent sessions for an... |
| V-28820 | Medium | The operating system must use multifactor authentication for local access to privileged accounts. | Multifactor authentication is defined as using two or more factors to achieve authentication.
Factors include:
(i) something you know (e.g., password/PIN);
(ii) something you have (e.g.,... |
| V-29009 | Medium | The operating system must verify the correct operation of security functions in accordance with organization-defined conditions and in accordance with organization-defined frequency (if periodic verification).
| Security functional testing involves testing the operating system for conformance to the operating system security function specifications, as well as, for the underlying security model. The need... |
| V-29008 | Medium | The operating system must generate a unique session identifier for each session.
| This requirement focuses on communications protection at the application session, versus network packet level and is not applicable for operating systems. |
| V-29003 | Medium | The operating system must analyze outbound communications traffic at selected interior points within the system (e.g., subnets, subsystems), as deemed necessary, to discover anomalies. | This is a networking component requirement and is not applicable to operating system. |
| V-29002 | Medium | The operating system must provide mechanisms to protect the authenticity of communications sessions.
| This control focuses on communications protection at the application session, versus packet level and is not applicable for operating systems. |
| V-29001 | Medium | The operating system must take organization-defined list of least disruptive actions to terminate suspicious events. | System availability is a key tenet of system security. Organizations need to have the flexibility to be able to define the automated actions taken in response to an identified incident. This... |
| V-29000 | Medium | The information systems collectively must provide name/address resolution service for an operating system implement internal/external role separation.
| This is a resolution issue and is not applicable for operating systems. |
| V-29007 | Medium | The operating system must employ a wireless intrusion detection system to detect potential compromises/breaches to the information system. | This is a network monitoring traffic analysis requirement to deploy wireless intrusion detection system. This is not applicable for operating systems. |
| V-29006 | Medium | The information system must provide a readily observable logout capability whenever authentication is used to gain access to web pages.
| Since this requirement is specific for web pages, it is not applicable for operating systems. |
| V-29005 | Medium | The operating system must employ a wireless intrusion detection system to detect attack attempts to the information system. | This is a network monitoring traffic analysis requirement to deploy wireless intrusion detection system. This is not applicable for operating systems.
|
| V-29004 | Medium | The operating system must invalidate session identifiers upon user logout or other session termination.
| This requirement focuses on communications protection at the application session, versus network packet level and is not applicable for operating systems. |
| V-28787 | Medium | The operating system must employ automated mechanisms to enforce access restrictions. | When dealing with access restrictions pertaining to change control, it should be noted that, any changes to the hardware, software, and/or firmware components of the information system and/or... |
| V-28786 | Medium | The operating system must enforce logical access restrictions associated with changes to the information system. | When dealing with access restrictions pertaining to change control, it should be noted that any changes to the hardware, software, and/or firmware components of the information system can... |
| V-28785 | Medium | The operating system must provide the capability for a privileged administrator to configure organization-defined security policy filters to support different security policies. | In order to control changes in policy, a privileged administrator must be able to change policy filters to support different security policies. |
| V-28783 | Medium | The operating system must track problems associated with the security attribute binding. | The operating system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems in accordance with applicable policy.... |
| V-28782 | Medium | The operating system must bind security attributes to information to facilitate information flow policy enforcement. | Operating system application enforces approved authorizations for controlling the flow of information within the system and between interconnected systems in accordance with applicable policy.... |
| V-28781 | Medium | The operating system must enforce security policies regarding information on interconnected systems. | The operating system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems in accordance with applicable policy.... |
| V-28780 | Medium | The operating system, when transferring information between different security domains, must decompose information into policy-relevant subcomponents for submission to policy enforcement mechanisms. | Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and... |
| V-28866 | Medium | The operating system must monitor and control communications at the external boundary of the information system and at key internal boundaries within the system. | The operating system must monitor and control communications at the boundary of the operating system. |
| V-28864 | Medium | The operating system must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of Denial of Service attacks. | In the case of Denial of Service attacks, care must be taken when designing the operating system so as to ensure that the operating system makes the best use of system resources. |
| V-28865 | Medium | The operating system must limit the use of resources by priority. | Priority protection helps prevent a lower-priority process from delaying or interfering with the operating system servicing any higher-priority process. Operating systems must limit potential high... |
| V-28862 | Medium | The operating system must protect against or must limit the effects of the organization-defined or referenced types of Denial of Service attacks. | A variety of technologies exist to limit, or in some cases, eliminate the effects of Denial of Service attacks.
Employing increased capacity combined with service redundancy may reduce the... |
| V-28863 | Medium | The operating system must restrict the ability of users to launch Denial of Service attacks against other information systems or networks. | When it comes to Denial of Service attacks (DoS), most of the attention is paid to ensuring the systems and applications are not victims of these attacks.
While it is true those accountable for... |
| V-28789 | Medium | The operating system must employ automated mechanisms to support auditing of the enforcement actions. | Any changes to the hardware, software, and/or firmware components of the information system and/or application can potentially have significant effects on the overall security of the system.... |
| V-28861 | Medium | The operating system must not share resources used to interface with systems operating at different security levels. | The purpose of this control is to prevent information, including encrypted representations of information, produced by the actions of a prior user/role (or the actions of a process acting on... |
| V-29090 | Medium | The operating system must allow designated organizational personnel to select which auditable events are to be audited by the operating system.
| The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of... |
| V-29091 | Medium | The operating system must generate audit records for the selected list of auditable events as defined in DoD list of events.
| The list of audited events is the set of events for which audits are to be generated.
This set of events is typically a subset of the list of all events for which the system is capable of... |
| V-29092 | Medium | The operating system must use cryptography to protect the confidentiality of remote access sessions. | Remote network access is accomplished by leveraging common communication protocols and establishing a remote connection. These connections will occur over the public Internet.
Remote access is... |
| V-29093 | Medium | The operating system must support the capability to compile audit records from multiple components within the system into a system-wide (logical or physical) audit trail that is time-correlated to within organization-defined level of tolerance.
| Audit generation and audit records can be generated from various components within the information system. The list of audited events is the set of events for which audits are to be generated.... |
| V-29094 | Medium | The operating system must monitor for unauthorized connections of mobile devices to organizational information systems. | Mobile devices include portable storage media (e.g., USB memory sticks, external hard disk drives) and portable computing and communications devices with information storage capability (e.g.,... |
| V-29095 | Medium | The operating system, for PKI-based authentication must validate certificates by constructing a certification path with status information to an accepted trust anchor.
| A trust anchor is an authoritative entity represented via a public key and associated data.
When there is a chain of trust, usually the top entity to be trusted becomes the trust anchor, for... |
| V-28978 | Medium | The operating system must prevent the automatic execution of mobile code in organization-defined software applications and must require organization-defined actions prior to executing the code.
| Decisions regarding the employment of mobile code within operating systems are based on the potential for the code to cause damage to the system if used maliciously.
Mobile code technologies... |
| V-29097 | Medium | The operating system, for PKI-based authentication must enforce authorized access to the corresponding private key.
| The cornerstone of the PKI is the private key used to encrypt or digitally sign information.
If the private key is stolen, this will lead to the compromise of the authentication and... |
| V-29098 | Medium | The operating system, for PKI-based authentication must map the authenticated identity to the user account.
| The cornerstone of the PKI is the private key used to encrypt or digitally sign information. The key by itself is a cryptographic value that does not contain specific user information. The... |
| V-29099 | Medium | The operating system must employ automated mechanisms to enable authorized users to make information sharing decisions based on access authorizations of sharing partners and access restrictions on information to be shared. | Depending on the information sharing circumstance, the sharing partner may be defined at the individual, group, or organization level and information may be defined by specific content, type, or... |
| V-28828 | Medium | The operating system must authenticate devices before establishing remote network connections using bidirectional cryptographically based authentication between devices. | Device authentication is a solution enabling an organization to manage devices.
It is an additional layer of authentication ensuring only specific pre-authorized devices operated by specific... |
| V-28980 | Medium | The operating system uniquely must authenticate destination domains for information transfer. | Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and... |
| V-28778 | Medium | The operating system must enforce approved authorizations for logical access to the system in accordance with applicable policy. | Strong access controls are critical to securing data. Access control policies (e.g., identity-based policies, role-based policies, attribute-based policies) and access enforcement mechanisms... |
| V-28779 | Medium | The operating system, when transferring information between different security domains, must identify information flows by data type specification and usage. | Information flow control regulates where information is allowed to travel
within an information system and between information systems (as opposed to who is allowed to access the information) and... |
| V-28773 | Medium | The operating system must automatically disable inactive accounts after an organization-defined time period. | Users are often the first line of defense within an application. Active users take notice of system and data conditions and are usually the first to notify systems administrators when they notice... |
| V-28770 | Medium | The operating system must automatically terminate temporary accounts after an organization-defined time period for each type of account. | When temporary and emergency accounts are created, there is a risk the temporary account may remain in place and active after the need for the account no longer exists.
To address this, in the... |
| V-28776 | Medium | The operating system must enforce minimum password length. | Password complexity, or strength, is a measure of the effectiveness of a password in resisting guessing and brute-force attacks.
Password length is one factor of several that helps to determine... |
| V-28777 | Medium | The operating system must obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals. | To prevent the compromise of authentication information, such as passwords during the authentication process, the feedback from the operating system shall not provide any information allowing an... |
| V-28774 | Medium | The operating system must enforce maximum password lifetime restrictions. | Passwords need to be changed at specific policy based intervals. Any password no matter how complex can eventually be cracked.
One method of minimizing this risk is to use complex passwords and... |
| V-28775 | Medium | The operating system must prohibit password reuse for the organization-defined number of generations. | Password complexity, or strength, is a measure of the effectiveness of a password in resisting guessing and brute-force attacks.
To meet password policy requirements, passwords need to be... |
| V-29018 | Medium | The information system must include components proactively seeking to identify web-based malicious code. | This is an application specific requirement is not applicable for operating systems. |
| V-29019 | Medium | The operating system must protect the confidentiality and integrity of information at rest.
| This control is intended to address the confidentiality and integrity of information at rest in non-mobile devices and covers user information and system information. Information at rest refers to... |
| V-28966 | Medium | The operating system must block both inbound and outbound traffic between instant messaging clients, independently configured by end users and external service providers. | Blocking restrictions do not include instant messaging services configured by an organization to perform an authorized function.
This requirement specifies blocking any external instant... |
| V-29010 | Medium | The operating system must generate unique session identifiers with organization-defined randomness requirements.
| This requirement focuses on communications protection at the application session, versus network packet level and is not applicable for operating systems. |
| V-29011 | Medium | The operating system must provide notification of failed automated security tests.
| The need to verify security functionality applies to all security functions.
For those security functions unable to execute automated self-tests the organization either implements compensating... |
| V-29012 | Medium | The operating system must fail to an organization-defined known state for organization-defined types of failures.
| Failure in a known state can address safety or security in accordance with the mission/business needs of the organization. It helps prevent a loss of confidentiality, integrity, or availability in... |
| V-29013 | Medium | The operating system must provide automated support for the management of distributed security testing.
| The need to verify security functionality applies to all security functions.
|
| V-29014 | Medium | The operating system must respond to security function anomalies in accordance with organization-defined responses and alternative action(s). | The need to verify security functionality applies to all security functions.
For those security functions unable to execute automated self-tests the organization either implements compensating... |
| V-29015 | Medium | The operating system must employ malicious code protection mechanisms at workstations, servers, or mobile computing devices on the network to detect and take action on unsolicited messages transported by electronic mail, electronic mail attachments, web access, ,removable media, or other common means. | This is not applicable for operating systems. This requirement would be for the malicious code protection application. |
| V-29016 | Medium | The operating system must detect unauthorized changes to software and information.
| Unauthorized changes to the operating system software or information on the system can possibly result in integrity or availability concerns. In order to quickly react to this situation, the... |
| V-28794 | Medium | The operating system must employ automated mechanisms to centrally apply configuration settings. | Configuration settings are the configurable security-related parameters of operating system.
Security-related parameters are those parameters impacting the security state of the system... |
| V-28796 | Medium | The operating system must employ automated mechanisms to centrally verify configuration settings. | Configuration settings are the configurable security-related parameters of information technology products that are part of the information system. Security-related parameters are those parameters... |
| V-28818 | Medium | The operating system must enforce dual authorization, based on organizational policies and procedures for organization-defined privileged commands. | Dual authorization mechanisms require two distinct approving authorities to approve the use of the command prior to it being invoked. An organization may determine certain commands or... |
| V-28790 | Medium | The operating system must prevent the installation of organization-defined critical software programs that are not signed with a certificate that is recognized and approved by the organization. | Any changes to the hardware, software, and/or firmware components of the information system and/or application can potentially have significant effects on the overall security of the system.... |
| V-28792 | Medium | The operating system must support the requirement to automatically audit on account creation. | Auditing of account creation is a method and best practice for mitigating the risk of an attacker creating a persistent method of re-establishing access. A comprehensive account management process... |
| V-28793 | Medium | The operating system must enforce a two-person rule for changes to organization-defined information system components and system-level information. | Regarding access restrictions for changes made to organization-defined information system components and system level information. Any changes to the hardware, software, and/or firmware components... |
| V-28813 | Medium | The operating system must use multifactor authentication for network access to privileged accounts. | Multifactor authentication is defined as using two or more factors to achieve authentication.
Factors include:
(i) something you know (e.g., password/PIN);
(ii) something you have (e.g.,... |
| V-28812 | Medium | The operating system must uniquely identify and must authenticate organizational users (or processes acting on behalf of organizational users). | To assure accountability and prevent unauthorized access, organizational users shall be identified and authenticated.
Organizational users include employees or individuals the organization deems... |
| V-30397 | Medium | The operating system must enforce password complexity by the number of numeric characters used. | Password complexity, or strength, is a measure of the effectiveness of a password in resisting guessing and brute-force attacks.
Password complexity is one factor of several that determine how... |
| V-28810 | Medium | The operating system must implement transaction recovery for transaction-based systems. | Recovery and reconstitution constitutes executing an operating system contingency plan comprised of activities to restore essential missions and business functions.
Transaction rollback and... |
| V-30391 | Medium | The operating system must route all remote accesses through managed access control points. | This is a network control and is not applicable to operating systems. |
| V-28925 | Medium | The operating system must terminate the network connection associated with a communications session at the end of the session or after an organization-defined time period of inactivity. | This requirement applies to both internal and external networks.
Terminating network connections associated with communications sessions means de-allocating associated TCP/IP address/port pairs... |
| V-30393 | Medium | The operating system must disable network access by components/devices or notifies designated organizational officials. | This is a network function and is not applicable to operating systems. |
| V-30392 | Medium | The operating system must monitor for unauthorized remote connections to the information system on an organization-defined frequency. | This is a network control and is not applicable to the operating system. |
| V-28948 | Medium | The operating system must ensure remote sessions for accessing an organization-defined list of security functions and security-relevant information are audited. | Remote access is any access to an organizational operating system by a user (or an information system) communicating through an external, non-organization-controlled network.
Remote access to... |
| V-29032 | Medium | The operating system must employ automated mechanisms or must have an application installed that on an organization-defined frequency determines the state of information system components with regard to flaw remediation.
| Organizations are required to identify information systems containing software affected by recently announced software flaws (and potential vulnerabilities resulting from those flaws) and report... |
| V-28836 | Medium | The operating system must employ automated mechanisms to assist in the tracking of security incidents. | This is not applicable for operating systems. This requirement is specific for monitoring applications or network devices that are purposed for this requirement. |
| V-28827 | Medium | The operating system must uniquely identify and authenticate an organization-defined list of specific and/or types of devices before establishing a connection. | Device authentication is a solution enabling an organization to manage both users and devices. It is an additional layer of authentication ensuring only specific pre-authorized devices operated by... |
| V-29025 | Medium | The operating system must update spam protection mechanisms (including signature definitions) when new releases are available in accordance with organizational configuration management policy and procedures.
| This is an email requirement and is not applicable to operating systems. |
| V-29024 | Medium | The operating system must employ malicious code protection mechanisms at operating system entry and exit points to detect and take action on unsolicited messages transported by electronic mail, electronic mail attachments, web accesses, removable media or other common means.
| This is not applicable for operating systems. This requirement would be for the malicious code protection application.
|
| V-29027 | Medium | The operating system must enforce one or more organization-defined nondiscretionary access control policies over an organization-defined set of users and resources. | Access control policies (e.g., identity-based policies, role-based policies, attribute-based policies) and access enforcement mechanisms (e.g., access control lists, access control matrices,... |
| V-29026 | Medium | The information system must automatically update spam protection mechanisms (including signature definitions).
| This is an email requirement and is not applicable to operating system. |
| V-29021 | Medium | The operating system at organization-defined information system components must load and execute the operating environment from hardware-enforced, read-only media.
| Organizations may require the information system to load the operating environment from hardware enforced read-only media. The term operating environment is defined as the code upon which... |
| V-29020 | Medium | The operating system must protect the integrity of information during the processes of data aggregation, packaging, and transformation in preparation for transmission.
| Information can be subjected to unauthorized changes (e.g., malicious and/or unintentional modification) at information aggregation or protocol transformation points. It is therefore imperative... |
| V-29023 | Medium | The operating system at organization-defined information system components must load and execute organization-defined applications from hardware-enforced, read-only media.
| Use of non-modifiable storage ensures the integrity of the software program from the point of creation of the read-only image. Organizations may require the information system to load specified... |
| V-28834 | Medium | The operating system must uniquely identify and must authenticate non-organizational users (or processes acting on behalf of non-organizational users). | Non-organizational users include all operating system users other than organizational users which include employees or individuals the organization deems to have equivalent status of employees... |
| V-29029 | Medium | The operating system must employ organization-defined information system components with no writeable storage that are persistent across component restart or power on/off.
| Organizations may require operating systems to be non-modifiable or to be stored and executed on non-writeable storage. Use of non-modifiable storage ensures the integrity of the program from the... |
| V-28837 | Medium | The operating system must check all media containing diagnostic and test programs for malicious code before the media can be used in the information system. | This is not applicable for operating systems. Operating systems require the use of malicious code protection. It is the requirement of that software to check media. |
| V-28908 | Medium | The operating system must automatically audit account modification. | Once an attacker establishes initial access to a system, they often attempt to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to simply modify... |
| V-28945 | Medium | The operating system must make provisions so encrypted traffic is visible to information system monitoring tools.
| This requirement is a combination of the network placement and the applications being used and is not applicable for operating systems. |
| V-28947 | Medium | The operating system must analyze outbound communications traffic at the external boundary of the system (i.e., system perimeter).
| This is not applicable for the operating system. This is a network perimeter requirement. |
| V-28946 | Medium | The operating system must use cryptography to protect the integrity of remote access sessions. | Remote access is any access to an organizational operating system by a user (or an information system) communicating through an external, non-organization-controlled network.
If cryptography is... |
| V-28941 | Medium | The operating system must enforce the organization-defined time period during which the limit of consecutive invalid access attempts by a user is counted. | By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced. Limits are imposed by locking the account. |
| V-28943 | Medium | The operating system must implement required cryptographic protections using cryptographic modules that comply with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. | Cryptography is only as strong as the encryption modules/algorithms that are employed to encrypt the data.
Use of weak or un-tested encryption algorithms undermines the purposes of utilizing... |
| V-28942 | Medium | The operating system must protect information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion.
| Intrusion-monitoring tools can accumulate a significant amount of sensitive data; examples could include user account information and application data not related to the intrusion monitoring... |
| V-28831 | Medium | The operating system must manage information system identifiers for users and devices by disabling the user identifier after an organization-defined time period of inactivity. | Inactive user accounts pose a risk to systems and applications. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained.
Attackers able to... |
| V-28821 | Medium | The operating system must use multifactor authentication for local access to non-privileged accounts. | Multifactor authentication is defined as using two or more factors to achieve authentication.
Factors include:
(i) something you know (e.g., password/PIN);
(ii) something you have (e.g.,... |
| V-29142 | Medium | The operating system must provide additional protection for mobile devices accessed via login by purging information from the device after organization-defined number of consecutive, unsuccessful login attempts to the mobile device.
| Mobile devices present additional risks related to attempted unauthorized access. If they are lost, stolen or misplaced, attempts can be made to unlock the device by guessing the PIN. In order to... |
| V-29143 | Medium | The operating system for publicly accessible systems must display the system use information when appropriate, before granting further access.
| Requirement applies to publicly accessible systems. System use notification messages can be implemented in the form of warning banners displayed when individuals log in to the information system.... |
| V-29140 | Medium | The operating system must uniquely identify source domains for information transfer.
| Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and... |
| V-29141 | Medium | The operating system must uniquely authenticate source domains for information transfer.
| Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and... |
| V-28927 | Medium | The operating system must maintain the binding of security attributes to information with sufficient assurance that the information--attribute association can be used as the basis for automated policy actions. | The term security label is often used to associate a set of security attributes with a specific information object as part of the data structure for that object (e.g., user access privileges,... |
| V-28926 | Medium | The operating system must provide a near real-time alert when any of the organization-defined list of compromise or potential compromise indicators occurs. | When an intrusion detection security event occurs it is imperative the operating system that has detected the event immediately notify the appropriate support personnel so they can respond accordingly. |
| V-30388 | Medium | The operating system must employ automated mechanisms to centrally manage configuration settings. | Configuration settings are the configurable security-related parameters of information technology products that are part of the information system. Security-related parameters are those parameters... |
| V-30389 | Medium | The operating system must employ cryptographic mechanisms to prevent unauthorized disclosure of information at rest unless otherwise protected by alternative physical measures. | This control is intended to address the confidentiality and integrity of information at rest in non-mobile devices and covers user information and system information. Information at rest refers to... |
| V-28923 | Medium | The operating system must monitor inbound and outbound communications for unusual or unauthorized activities or conditions.
| This is not applicable for operating systems. This requirement would be for the IDS/IPS device or application.
|
| V-28921 | Medium | The operating system must maintain the confidentiality of information during aggregation, packaging, and transformation in preparation for transmission. | Confidentiality of the data must be maintained to ensure unauthorized users or processes do not have access to it. This can be accomplished via access control mechanisms or encryption. |
| V-28920 | Medium | The organization must interconnect and configure individual intrusion detection tools into a system-wide intrusion detection system using common protocols.
| This requirement concerns work connection of devices and is not applicable to operating systems. |
| V-30382 | Medium | The operating system must automatically terminate emergency accounts after an organization-defined time period for each type of account. | When emergency accounts are created, there is a risk that the emergency account may remain in place and active after the need for the account no longer exists. To address this, in the event... |
| V-28801 | Medium | The operating system must be configured to provide essential capabilities. | Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential... |
| V-28802 | Medium | The operating system must configure the information system to specifically prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services. | Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential... |
| V-30381 | Medium | The operating system must enforce requirements for the connection of mobile devices to operating systems. | Wireless access introduces security risks which must be addressed through implementation of strict controls and procedures such as authentication, encryption, and defining what resources that can... |
| V-28804 | Medium | The operating system must employ automated mechanisms, per organization-defined frequency, to detect the addition of unauthorized components/devices into the operating system. | Baselining of systems allows for a mechanism to determine when unauthorized additions or changes are made. It also ensures the appropriate patch management is in place for the components on the system. |
| V-28805 | Medium | The operating system must dynamically manage user privileges and associated access authorizations. | While user identities remain relatively constant over time, user privileges may change more frequently based on the ongoing mission/business requirements and operational needs of the organization.... |
| V-28806 | Medium | The operating system must conduct backups of user-level information contained in the operating system per organization-defined frequency to conduct backups consistent with recovery time and recovery point objectives. | Operating system backup is a critical step in maintaining data assurance and availability.
User-level information is data generated by information system and/or application users.
Backups... |
| V-28807 | Medium | The operating system must conduct backups of system-level information contained in the information system per organization-defined frequency to conduct backups that are consistent with recovery time and recovery point objectives. | Operating system backup is a critical step in maintaining data assurance and availability.
System-level information includes system-state information, operating system and application software,... |
| V-28929 | Medium | The operating system must establish a trusted communications path between the user and organization-defined security functions within the operating system. | The user interface must provide an unspoofable and faithful communication channel between the user and any entity trusted to manipulate authorities on the user's behalf.
A trusted path shall be... |
| V-28803 | Medium | The operating system must employ automated mechanisms to prevent program execution in accordance with the organization defined specifications. | Operating systems are capable of providing a wide variety of functions and services. Execution must be disabled based on organization defined specifications. |
| V-28830 | Medium | The operating system must authenticate devices before establishing network connections using bidirectional cryptographically based authentication between devices. | Device authentication is a solution enabling an organization to manage both users and devices.
It is an additional layer of authentication ensuring only specific pre-authorized devices operated... |
| V-30385 | Medium | The operating system must notify, as required, appropriate individuals when account is disabled. | Monitoring account disabling is critical to ensure a denial of service situation does not exist on the operating system. An unexpected account deletion can also be a sign of a rogue administrator... |
| V-28893 | Medium | The operating system must notify the user of the number of unsuccessful login/access attempts that occur during organization-defined time period. | Users need to be aware of activity that occurs regarding their account. Providing users with information regarding the number of unsuccessful attempts made to login to their account allows the... |
| V-28892 | Medium | The operating system must implement host-based boundary protection mechanisms for servers, workstations, and mobile devices. | A host-based boundary protection mechanism is a host-based firewall. Host-based boundary protection mechanisms are employed on mobile devices, such as notebook/laptop computers and other types of... |
| V-28891 | Medium | The operating system must notify the user of the number of successful logins/accesses that occur during the organization-defined time period. | Users need to be aware of activity that occurs regarding their account. Providing users with information regarding the number of successful attempts made to login to their account allows the user... |
| V-28890 | Medium | The operating system must check incoming communications to ensure the communications are coming from an authorized source and routed to an authorized destination. | In the case of the operating system, the boundary may be the workstation on the public internet.
In order to thwart an attack the operating system must be able to ensure communications are coming... |
| V-29036 | Medium | The operating system must have malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code transported by electronic mail, electronic mail attachments, web accesses, removable media, or other common means. | In order to minimize potential negative impact to the organization caused by malicious code, it is imperative that malicious code is identified and eradicated prior to entering protected enclaves... |
| V-28896 | Medium | The operating system must route all networked, privileged accesses through a dedicated, managed interface for purposes of access control and auditing. | Managed interfaces employing boundary protection must be used for operating systems when using privileged accesses. |
| V-28895 | Medium | The operating system must notify the user of organization-defined security-related changes to the user’s account that occur during the organization-defined time period. | Some organizations may define certain security events as events requiring user notification. An organization may define an event such as a password change to a user's account occurring outside of... |
| V-28894 | Medium | The operating system must isolate organization-defined key information security tools, mechanisms, and support components from other internal information system components via physically separate subnets with managed interfaces to other portions of the system. | This is a physical separation requirement and is not applicable. |
| V-28899 | Medium | The operating system must prevent non-privileged users from circumventing malicious code protection capabilities.
| Malicious code protection software must be protected so as to prevent a non-privileged user or a malicious piece of software from disabling the protection mechanism. A common tactic of malware is... |
| V-28898 | Medium | The operating system must prevent discovery of specific system components (or devices) composing a managed interface. | Allowing discovery of operating system resources, names, or components can lead to giving information to an attacker that may be used as an attack vector. |
| V-28838 | Medium | The operating system must employ automated mechanisms to restrict the use of maintenance tools to authorized personnel only. | The intent of this control is to address the security-related issues arising from the software brought into the operating system specifically for diagnostic and repair actions (e.g., a software... |
| V-28952 | Medium | The operating system must employ FIPS-validated cryptography to protect unclassified information. | Cryptography is only as strong as the encryption modules/algorithms employed to encrypt the data.
Use of weak or un-tested encryption algorithms undermines the purposes of utilizing encryption... |
| V-28953 | Medium | The operating system must employ NSA-approved cryptography to protect classified information. | Cryptography is only as strong as the encryption modules/algorithms employed to encrypt the data.
Use of weak or un-tested encryption algorithms undermines the purposes of utilizing encryption... |
| V-29139 | Medium | The operating system, when transferring information between different security domains, must prohibit the transfer of unsanctioned information in accordance with the security policy.
| Information flow control regulates where information is allowed to travel within an operating system and between information systems (as opposed to who is allowed to access the information) and... |
| V-29138 | Medium | The operating system, when transferring information between different security domains, must detect unsanctioned information.
| Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and... |
| V-28956 | Medium | The operating system must provide the capability to remotely view/hear all content related to an established user session in real time. | If required at the operating system, this requirement will be fulfilled by an application. This requirement is not applicable for operating systems. |
| V-28957 | Medium | The operating system must initiate session audits at system start-up. | Session auditing activities are developed, integrated, and used in consultation with legal counsel in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations. |
| V-28954 | Medium | The operating system must provide the capability to capture/record and log all content related to a user session. | Session auditing activities are developed, integrated, and used in consultation with legal counsel in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations. |
| V-28955 | Medium | The operating system must employ FIPS-validated cryptography to protect information when it must be separated from individuals who have the necessary clearances, yet lack the necessary access approvals. | Cryptography is only as strong as the encryption modules/algorithms employed to encrypt the data.
Use of weak or un-tested encryption algorithms undermines the purposes of utilizing encryption... |
| V-28958 | Medium | The operating system must produce audit records containing sufficient information to establish the identity of any user/subject associated with the event. | Operating system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control, includes time stamps, source... |
| V-28959 | Medium | The operating system must protect audit tools from unauthorized access. | Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data.
Depending upon the log format and application, system and application log tools may... |
| V-29137 | Medium | The operating system, when transferring information between different security domains, must implement policy filters constraining data structure and content to organization-defined information security policy requirements. | Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and... |
| V-29135 | Medium | The operating system must enforce approved authorizations for controlling the flow of information within the system in accordance with applicable policy.
| Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and... |
| V-29134 | Medium | The operating system must enforce an organization-defined Discretionary Access Control (DAC) policy that must allow users to specify and control sharing by named individuals or groups of individuals, or by both. | Access control policies (e.g., identity-based policies, role-based policies, attribute-based policies) and access enforcement mechanisms (e.g., access control lists, access control matrices,... |
| V-28934 | Medium | The operating system must produce, control, and distribute symmetric and asymmetric cryptographic keys using NSA-approved key management technology and processes. | Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures.
In addition to being required for the effective... |
| V-28935 | Medium | The operating system must disable the use of organization-defined networking protocols within the operating system deemed to be nonsecure except for explicitly identified components in support of specific operational requirements. | Some networking protocols may not meet security requirements to protect data and components. The organization can either make a determination as to the relative security of the networking... |
| V-28936 | Medium | The operating system must produce, control, and distribute asymmetric cryptographic keys using approved PKI Class 3 certificates or prepositioned keying material. | Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures.
In addition to being required for the effective... |
| V-28937 | Medium | The operating system must prevent non-privileged users from circumventing intrusion detection and prevention capabilities.
| Intrusion detection and prevention capabilities must be architected and implemented to prevent non-privileged users from circumventing such protections. This can be accomplished through the use of... |
| V-28930 | Medium | The operating system must only allow authorized users to associate security attributes with information. | The term security label is often used to associate a set of security attributes with a specific information object as part of the data structure for that object (e.g., user access privileges,... |
| V-28931 | Medium | The operating system must produce, control, and distribute symmetric cryptographic keys using NIST-approved or NSA-approved key management technology and processes. | Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures.
In addition to being required for the effective... |
| V-28932 | Medium | The operating system must display security attributes in human-readable form on each object output from the system to system output devices to identify an organization-identified set of special dissemination, handling, or distribution instructions using organization-identified human readable, standard naming conventions. | Security attributes are abstractions representing the basic properties or characteristics of an entity (e.g., subjects, objects) with respect to safeguarding information. These attributes are... |
| V-28938 | Medium | The operating system must notify an organization-defined list of incident response personnel (identified by name and/or by role) of suspicious events.
| This is not applicable for operating systems. This requirement would be for the IDS/IPS device or application.
|
| V-28819 | Medium | The operating system must use multifactor authentication for network access to non-privileged accounts. | Multifactor authentication is defined as using two or more factors to achieve authentication.
Factors include:
(i) something you know (e.g., password/PIN);
(ii) something you have (e.g.,... |
| V-28832 | Medium | The operating system must dynamically manage identifiers, attributes, and associated access authorizations. | Dynamic management of identities and association of attributes and privileges with these identities are anticipated and provisioned. Pre-established trust relationships and mechanisms with... |
| V-28829 | Medium | The operating system must authenticate devices before establishing wireless network connections using bidirectional cryptographically based authentication between devices. | Device authentication is a solution enabling an organization to manage devices.
It is an additional layer of authentication ensuring only specific pre-authorized devices operated by specific... |
| V-30377 | Medium | The operating system must enforce a Discretionary Access Control (DAC) policy that limits propagation of access rights. | Access control policies (e.g., identity-based policies, role-based policies, attribute-based policies) and access enforcement mechanisms (e.g., access control lists, access control matrices,... |
| V-30376 | Medium | The operating system must prevent the execution of prohibited mobile code. | Decisions regarding the employment of mobile code within operating systems are based on the potential for the code to cause damage to the system if used maliciously.
Mobile code technologies... |
| V-30375 | Medium | The operating system must ensure the acquisition of mobile code to be deployed in information systems meets organization-defined mobile code requirements. | This requirement is not applicable to operating systems as the acquisition of operating systems does not impact mobile code. |
| V-28885 | Medium | The operating system must enforce the number of characters changed when passwords are changed. | Passwords need to be changed at specific policy based intervals.
If the operating system allows the user to consecutively reuse extensive portions of their password when they change their... |
| V-28887 | Medium | The operating system must enforce password encryption for storage. | Passwords need to be protected at all times and encryption is the standard method for protecting passwords while in storage so unauthorized users/processes cannot gain access. |
| V-28888 | Medium | The operating system must enforce password encryption for transmission. | Passwords need to be protected at all times and encryption is the standard method for protecting passwords during transmission to ensure unauthorized users/processes do not gain access to them. |
| V-28889 | Medium | The operating system must enforce minimum password lifetime restrictions. | Passwords need to be changed at specific policy based intervals, however if the information system or application allows the user to immediately and continually change their password then the... |
| V-30379 | Medium | The operating system must protect wireless access to the system using authentication. | This is a network element check and does not apply to operating systems. |
| V-30378 | Medium | The operating system must enforce a Discretionary Access Control (DAC) policy that includes or excludes access to the granularity of a single user. | Access control policies (e.g., identity-based policies, role-based policies, attribute-based policies) and access enforcement mechanisms (e.g., access control lists, access control matrices,... |
| V-29128 | Medium | The operating system must protect the audit records resulting from non-local accesses to privileged accounts and the execution of privileged functions.
| Protection of audit records and audit data is of critical importance. Care must be taken to ensure privileged users cannot circumvent audit protections put in place. Auditing might not be... |
| V-30395 | Medium | The operating system must protect against unauthorized physical connections across the boundary protections implemented at an organization-defined list of managed interfaces. | This is a network boundary check and is not applicable to operating systems. |
| V-29045 | Medium | The operating system must address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system.
| This is not applicable for operating systems. This requirement would be for the malicious code protection application.
|
| V-29044 | Medium | The operating system must configure malicious code protection mechanisms to perform organization-defined action(s) in response to malicious code detection.
| This is not applicable for operating systems. This requirement would be for the malicious code protection application.
|
| V-29042 | Medium | The operating system must configure malicious code protection mechanisms to perform real-time scans of files from external sources as the files are downloaded, opened, or executed in accordance with organizational security policy.
| This is not applicable for operating systems. This requirement would be for the malicious code protection application.
|
| V-29041 | Medium | The operating system must enforce dynamic information flow control based on policy that must allow or disallow information flows based upon changing conditions or operational considerations. | Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and... |
| V-29040 | Medium | The operating system must configure malicious code protection mechanisms to perform periodic scans of the information system on an organization-defined frequency.
| This is not applicable for operating systems. This requirement would be for the malicious code protection application.
|
| V-29120 | Medium | The operating system must validate the binding of the information producer’s identity to the information.
| Predictable failure prevention requires organizational planning to address system failure issues. If a subsystem of the operating system, hardware, or the operating system itself, is key to... |
| V-29121 | Medium | The operating system must maintain reviewer/releaser identity and credentials within the established chain of custody for all information reviewed or released.
| When it comes to data review and data release, there must be a correlation between the reviewed data and the person who performs the review. If the reviewer is a human or if the review function is... |
| V-30383 | Medium | The operating system must notify, as required, appropriate individuals when accounts are created. | Monitoring account creation is critical to ensure only appropriate personnel have access to the operating system. This reduces the possibility a rogue account will be created. In order to... |
| V-29124 | Medium | The operating system must invoke a system shutdown in the event of an audit failure, unless an alternative audit capability exists.
| It is critical when an operating system is at risk of failing to process audit logs as required it takes action to mitigate the failure. If the system were to continue processing without auditing... |
| V-28811 | Medium | The operating system must enforce explicit rules governing the installation of software by users. | The operating system must enforce software installation by users based upon what types of software installations are permitted (e.g., updates and security patches to existing software) and what... |
| V-29126 | Medium | The operating system must back up audit records on an organization-defined frequency onto a different system or media than the system being audited.
| Protection of log data includes assuring the log data is not accidentally lost or deleted. Backing up audit records to a different system or onto separate media than the system being audited on an... |
| V-29048 | Medium | The operating system must automatically update malicious code protection mechanisms, including signature definitions.
| This is not applicable for operating systems. This requirement would be for the malicious code protection application. |
| V-28901 | Medium | The operating system must update malicious code protection mechanisms only when directed by a privileged user.
| This is not applicable for operating systems. This requirement would be for the malicious code protection application.
|
| V-28900 | Medium | The operating system must support and maintain the binding of organization-defined security attributes to information in storage. | Security attributes are abstractions representing the basic properties or characteristics of an entity (e.g., subjects, objects) with respect to safeguarding information.
These attributes are... |
| V-28903 | Medium | The operating system must support and maintain the binding of organization-defined security attributes to information in process. | Security attributes are abstractions representing the basic properties or characteristics of an entity (e.g., subjects, objects) with respect to safeguarding information.
These attributes are... |
| V-28902 | Medium | The operating system must employ automated mechanisms to enforce strict adherence to protocol format. | Crafted packets not conforming to IEEE standards can be used by malicious people to exploit a host’s protocol stack to create a Denial of Service or force a device reset. |
| V-28905 | Medium | The operating system must fail securely in the event of an operational failure of a boundary protection device. | Fail secure is a condition achieved by the operating system employing a set of information system mechanisms to ensure, in the event of an operational failure of a boundary protection device at a... |
| V-28904 | Medium | The operating system must not allow users to introduce removable media into the information system.
| Malicious code is known to propagate via removable media such as floppy disks, USB or flash drives, and removable hard drives.
In order to prevent propagation and potential infection due to... |
| V-28907 | Medium | The operating system must protect the integrity of transmitted information. | Ensuring the integrity of transmitted information requires the operating system take feasible measures to employ transmission layer security. This requirement applies to communications across... |
| V-28906 | Medium | The operating system must support and maintain the binding of organization-defined security attributes to information in transmission. | Security attributes are abstractions representing the basic properties or characteristics of an entity (e.g., subjects, objects) with respect to safeguarding information. These attributes are... |
| V-28909 | Medium | The operating system must automatically audit account disabling actions. | When accounts are disabled, user accessibility is affected. Accounts are utilized for identifying individual application users or for identifying processes themselves. In order to detect and... |
| V-28798 | Medium | The operating system must employ automated mechanisms to respond to unauthorized changes to organization-defined configuration settings. | Configuration settings are the configurable security-related parameters of information technology products that are part of the information system. Security-related parameters are those parameters... |
| V-29030 | Medium | The operating system must prevent access to organization-defined security-relevant information except during secure, non-operable system states. | Security-relevant information is any information within the information system potentially impacting the operation of security functions in a manner that could result in failure to enforce the... |
| V-30390 | Medium | The operating system must enforce requirements for remote connections to the information system. | The organization will define the requirements for connection of remote connections. In order to ensure the connection provides adequate integrity and confidentiality of the connection, the... |
| V-28825 | Medium | The operating system must use organization-defined replay-resistant authentication mechanisms for network access to privileged accounts. | An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message.
Techniques used to... |
| V-29031 | Medium | The operating system must install software update automatically.
| Security faults with software applications and operating systems are discovered daily and vendors are constantly updating and patching their products to address newly discovered security... |
| V-28859 | Medium | The operating system must implement security functions as a layered structure minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers. | The operating system isolates security functions from non-security functions by means of an isolation boundary (implemented via partitions and domains) controlling access to and protecting the... |
| V-29129 | Medium | The operating system must produce a system-wide (logical or physical) audit trail composed of audit records in a standardized format.
| Audits records can be generated from various components within the operating system. The list of audited events is the set of events for which audits are to be generated. This set of events is... |
| V-30380 | Medium | The operating system must protect wireless access to the system using encryption.
| This is a network element check and does not apply to the operating system. |
| V-28992 | Medium | The operating system must protect non-local maintenance sessions by separating the maintenance session from other network sessions with the information system by either physically separated communications paths or logically separated communications paths. | This is a requirement that maintenance needs to be done on a separate interface or encrypted channel so as to segment maintenance activity from regular usage. When performing non-local... |
| V-29073 | Medium | The operating system, upon successful logon, must display to the user the date and time of the last logon (access). | Users need to be aware of activity that occurs regarding their account. Providing users with information regarding the date and time of their last successful login allows the user to determine if... |
| V-29122 | Medium | The operating system must validate the binding of the reviewer’s identity to the information at the transfer/release point prior to release/transfer from one security domain to another security domain.
| This non-repudiation control enhancement is intended to mitigate the risk that information could be modified between review and transfer/release particularly when the transfer is occurring between... |
| V-29037 | Medium | The operating system must enforce information flow control using protected processing domains (e.g., domain type-enforcement) as a basis for flow control decisions. | Protected processing domains can be used to separate different data types. The operating system must enforce information flow control to ensure information does not pass into domains that are not... |
| V-29117 | Medium | The operating system must reveal error messages only to authorized personnel.
| If the operating system provides too much information in error logs and administrative messages to the screen it could lead to compromise. The structure and content of error messages need to be... |
| V-29111 | Medium | The operating system must allocate audit record storage capacity. | Operating system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control includes, time stamps, source... |
| V-29110 | Medium | The operating system must support the requirement to centrally manage the content of audit records generated by organization-defined information system components. | Operating system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control, includes, for example, time... |
| V-29113 | Medium | The operating system must alert designated organizational officials in the event of an audit processing failure. | It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Audit processing failures include, software/hardware errors, failures... |
| V-29112 | Medium | The operating system must configure auditing to reduce the likelihood of storage capacity being exceeded. | Operating system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control includes, time stamps, source... |
| V-29038 | Medium | The operating system must update malicious code protection mechanisms (including signature definitions) whenever new releases are available in accordance with organizational configuration management policy and procedures.
| This is not applicable for operating systems. This requirement would be for the malicious code protection application.
|
| V-29035 | Medium | The operating system must enforce information flow control using explicit security attributes on information, source, and destination objects as a basis for flow control decisions. | Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and... |
| V-29119 | Medium | The operating system must associate the identity of the information producer with the information.
| Non-repudiation supports audit requirements to provide the appropriate organizational officials the means to identify who produced specific information in the event of an information transfer.
|
| V-29118 | Medium | The operating system must support the requirement that organizations, if an information system component failure is detected must activate an organization-defined alarm and/or automatically shuts down the operating system.
| Predictable failure prevention requires organizational planning to address system failure issues. If a subsystem of the operating system, hardware, or the operating system itself, is key to... |
| V-29125 | Medium | The operating system must employ automated mechanisms to alert security personnel of any organization-defined inappropriate or unusual activities with security implications.
| Successful incident response and auditing relies on timely, accurate system information and analysis in order to allow the organization to identify and respond to potential incidents in a... |
| V-28835 | Medium | The operating system must implement a configurable capability to automatically disable the operating system if any of the organization-defined lists of security violations are detected. | When responding to a security incident a capability must exist allowing authorized personnel to disable a particular system if the system exhibits a security violation and the organization... |
| V-29055 | Medium | The operating system must enforce information flow control using organization-defined security policy filters as a basis for flow control decisions. | Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and... |
| V-29056 | Medium | The operating system must provide the capability for a privileged administrator to enable/disable organization-defined security policy filters. | Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and... |
| V-29057 | Medium | The operating system must provide the capability for a privileged administrator to configure the organization-defined security policy filters to support different security policies. | Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and... |
| V-29050 | Medium | The operating system must enforce organization-defined limitations on the embedding of data types within other data types. | Embedding of data within other data is often used for the clandestine transfer of data. Embedding of data within other data can circumvent protections in place to protect information and systems. |
| V-29051 | Medium | The operating system must enforce information flow control on metadata. | Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and... |
| V-28833 | Medium | The operating system must use mechanisms for authentication to a cryptographic module meeting the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication. | Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified, and cannot be relied upon to provide confidentiality or integrity, and... |
| V-29053 | Medium | The operating system must support organization-defined one-way flows using hardware mechanisms. | Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and... |
| V-29127 | Medium | The operating system must use cryptographic mechanisms to protect the integrity of audit information.
| Protection of audit records and audit data is of critical importance. Cryptographic mechanisms are the industry established standard used to protect the integrity of audit data.
|
| V-29058 | Medium | The operating system must take organization-defined actions upon audit failure (e.g., shut down information system, overwrite oldest audit records, stop generating audit records).
| It is critical when a system is at risk of failing to process audit logs as required, it detects and takes action to mitigate the failure. Audit processing failures include, software/hardware... |
| V-29059 | Medium | The operating system must implement separation of duties through assigned information system access authorizations. | Separation of duties is a prevalent Information Technology control implemented at different layers of the information system, including the operating system and in applications. It serves to... |
| V-28857 | Medium | The operating system must implement an information system isolation boundary to minimize the number of non-security functions included within the boundary containing security functions. | The operating system isolates security functions from non-security functions by means of an isolation boundary (implemented via partitions and domains) controlling access to and protecting the... |
| V-28856 | Medium | The operating system must isolate security functions enforcing access and information flow control from both non-security functions and from other security functions. | The operating system isolates security functions from non-security functions by means of an isolation boundary (implemented via partitions and domains) controlling access to and protecting the... |
| V-28855 | Medium | The operating system must isolate security functions from nonsecurity functions. | Operating system management functionality includes functions necessary to administer the operating, network components, workstations, or servers, and typically requires privileged user access.... |
| V-28854 | Medium | The operating system must prevent the presentation of information system management-related functionality at an interface for general (i.e., non-privileged) users. | Operating system management functionality includes functions necessary to administer the operating, network components, workstations, or servers, and typically requires privileged user access.... |
| V-28853 | Medium | The operating system must separate user functionality (including user interface services) from operating system management functionality. | Operating system management functionality includes functions necessary to administer machine, network components, workstations, or servers, and typically requires privileged user access.
The... |
| V-28852 | Medium | The operating system must employ cryptographic mechanisms to protect information in storage. | When data is written to digital media, such as hard drives, mobile computers, external/removable hard drives, personal digital assistants, flash/thumb drives, etc., there is risk of data loss and... |
| V-28918 | Medium | The operating system must employ cryptographic mechanisms to prevent unauthorized disclosure of information during transmission unless otherwise protected by alternative physical measures. | Ensuring the confidentiality of transmitted information requires operating systems take feasible measures to employ transmission layer security. This requirement applies to communications across... |
| V-28919 | Medium | The operating system must only allow authorized entities to change security attributes. | Security attributes are abstractions representing the basic properties or characteristics of an entity (e.g., subjects, objects) with respect to safeguarding information. These attributes are... |
| V-28916 | Medium | The operating system must dynamically reconfigure security attributes in accordance with an identified security policy as information is created and combined. | Security attributes are abstractions representing the basic properties or characteristics of an entity (e.g., subjects, objects) with respect to safeguarding information. These attributes are... |
| V-28914 | Medium | The operating system must enforce approved authorizations for controlling the flow of information between interconnected systems in accordance with applicable policy. | Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and... |
| V-28915 | Medium | The operating system must protect the confidentiality of transmitted information. | Ensuring the confidentiality of transmitted information requires operating systems take feasible measures to employ transmission layer security. This requirement applies to communications across... |
| V-28912 | Medium | The operating system must maintain the integrity of information during aggregation, packaging, and transformation in preparation for transmission. | Ensuring the confidentiality of transmitted information requires the operating system take measures in preparing information for transmission. This can be accomplished via access control or encryption. |
| V-28913 | Medium | The operating system must automatically audit account termination. | Accounts are utilized for identifying individual application users or for identifying the application processes themselves. When accounts are deleted, a Denial of Service could happen. The... |
| V-28910 | Medium | The operating system must employ cryptographic mechanisms to recognize changes to information during transmission unless otherwise protected by alternative physical measures. | Ensuring the integrity of transmitted information requires operating systems take measures to employ some form of cryptographic mechanism in order to recognize changes to information. This is... |
| V-28939 | Medium | The operating system must produce, control, and distribute asymmetric cryptographic keys using approved PKI Class 3 or Class 4 certificates and hardware security tokens that protect the user’s private key. | Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures.
In addition to being required for the effective... |
| V-30387 | Medium | The operating system must use cryptographic mechanisms to protect the integrity of audit tools. | Auditing and logging are key components of any security architecture. It is essential security personnel know what is being done, what attempted to be done, where it was done, when it was done,... |
| V-28882 | Medium | The operating system must connect to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture. | The operating system must ensure traffic flows through only managed interfaces. For operating systems on the perimeter of the network (e.g., laptops connecting remotely) this helps protect the... |
| V-28869 | Medium | The operating system at managed interfaces must deny network traffic by default and must allow network traffic by exception (i.e., deny all, permit by exception). | Access into an organizations internal network and to key internal boundaries must be tightly controlled and managed. In the case of the operating system, the boundary may be the workstation on... |
| V-29102 | Medium | The operating system must enforce password complexity by the number of lower case characters used.
| Password complexity, or strength, is a measure of the effectiveness of a password in resisting guessing and brute-force attacks.
Password complexity is one factor of several that determine how... |
| V-29103 | Medium | The operating system must produce audit records containing sufficient information to establish what type of events occurred. | Operating system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control includes, time stamps, source... |
| V-29046 | Medium | The operating system must prevent encrypted data from bypassing content checking mechanisms. | Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and... |
| V-29101 | Medium | The operating system must identify potentially security-relevant error conditions.
| The structure and content of error messages need to be carefully considered by the organization. The extent to which the operating system is able to identify and handle error conditions is guided... |
| V-29106 | Medium | The operating system must produce audit records containing sufficient information to establish where the events occurred. | Operating system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control includes, time stamps, source... |
| V-28868 | Medium | The operating system must prevent public access into an organization’s internal networks, except as appropriately mediated by managed interfaces employing boundary protection devices. | Access into an organization’s internal network and to key internal boundaries must be tightly controlled and managed. In the case of the operating system, the key boundary may be the workstation... |
| V-29104 | Medium | The operating system must generate error messages providing information necessary for corrective actions without revealing organization-defined sensitive or potentially harmful information in error logs and administrative messages that could be exploited. | Any operating system providing too much information in error logs and in administrative messages to the screen, risks compromising the data and security of the structure and content of error... |
| V-29105 | Medium | The operating system must produce audit records containing sufficient information to establish when (date and time) the events occurred. | Operating system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control includes, time stamps, source... |
| V-30394 | Medium | The operating system must employ automated mechanisms to detect the presence of unauthorized software on organizational information systems and notify designated organizational officials in accordance with the organization-defined frequency. | Malicious software can establish a base on individual desktops and servers. Employing an automated mechanism to detect this type of software will aide in elimination of the software from the... |
| V-28809 | Medium | The operating system must conduct backups of operating system documentation including security-related documentation per organization-defined frequency to conduct backups that is consistent with recovery time and recovery point objectives. | Operating system backup is a critical step in maintaining data assurance and availability.
Information system and security related documentation contains information pertaining to system... |
| V-29109 | Medium | The operating system must include organization-defined additional, more detailed information in the audit records for audit events identified by type, location, or subject. | Information system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control, includes, time stamps,... |
| V-28826 | Medium | The operating system must use organization-defined replay-resistant authentication mechanisms for network access to non-privileged accounts. | An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message.
Techniques used to... |
| V-29061 | Medium | The operating system must provide a real-time alert when organization-defined audit failure events occur.
| It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Audit processing failures include, software/hardware errors, failures... |
| V-29060 | Medium | The operating system must provide a warning when allocated audit record storage volume reaches an organization-defined percentage of maximum audit record storage capacity.
| It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Audit processing failures include, software/hardware errors, failures... |
| V-29063 | Medium | The operating system must audit any use of privileged accounts, or roles, with access to organization-defined security functions or security-relevant information, when accessing other system functions. | This requirement is intended to limit exposure due to operating from within a privileged account or role. The inclusion of role is intended to address those situations where an access control... |
| V-29062 | Medium | The information system must enforce configurable traffic volume thresholds representing auditing capacity for network traffic.
| This is not applicable for operating systems as network traffic monitoring is outside the scope of the operating system monitoring. |
| V-29065 | Medium | The operating system must enforce the organization-defined limit of consecutive invalid access attempts by a user during the organization-defined time period. | Anytime an authentication method is exposed, allowing for the utilization of an operating system, there is a risk that attempts will be made to obtain unauthorized access.
To defeat these... |
| V-29064 | Medium | To support audit review, analysis, and reporting the operating system must integrate audit review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities. | This is not applicable to operating systems. The data from the operating system will be used by an application which will meet the requirement. |
| V-29067 | Medium | The operating system must support an audit reduction capability.
| Audit reduction is used to reduce the volume of audit records in order to facilitate manual review. Before a security review information systems and/or applications with an audit reduction... |
| V-29066 | Medium | Operating system must support the capability to centralize the review and analysis of audit records from multiple components within the system.
| Successful incident response and auditing relies on timely, accurate system information and analysis in order to allow the organization to identify and respond to potential incidents in a... |
| V-29069 | Medium | The operating system audit records must be able to be used by a report generation capability.
| Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify a network element that has been... |
| V-29068 | Medium | The operating system, when the maximum number of unsuccessful attempts is exceeded, must automatically lock the account for an organization-defined time period or must lock the account until released by an administrator IAW organizational policy. | Anytime an authentication method is exposed to allow for the utilization of an operating system, there is a risk that attempts will be made to obtain unauthorized access.
To defeat these... |
| V-28983 | Medium | The information system must provide additional data origin and integrity artifacts along with the authoritative data the system returns in response to name/address resolution queries.
| This is a resolution issue and is not applicable for operating systems. |
| V-28982 | Medium | The operating system must track problems associated with the information transfer. | When an operating system transfers data, there is the chance an error or problem with the data transfer may occur. The operating system needs to track failures and any problems encountered when... |
| V-28985 | Medium | The operating system, when operating as part of a distributed, hierarchical namespace, must provide the means to indicate the security status of child subspaces and (if the child supports secure resolution services) enable verification of a chain of trust.
| This is a resolution issue and is not applicable for operating systems. |
| V-28984 | Medium | The information system must reject or delay, as defined by the organization, network traffic generated above configurable traffic volume thresholds. | This is a network traffic requirement and is not applicable for operating systems. |
| V-28987 | Medium | The operating system must ensure unauthorized, security-relevant configuration changes detected are tracked. | Configuration settings are the configurable security-related parameters of information technology products that are part of the information system. Security-related parameters are those parameters... |
| V-28844 | Medium | The operating system must employ cryptographic mechanisms to protect the integrity and confidentiality of non-local maintenance and diagnostic communications. | Non-local maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal... |
| V-28969 | Medium | The operating system must associate security attributes with information exchanged between information systems.
| When data is exchanged between information systems, the security attributes associated with the data needs to be maintained.
Security attributes are an abstraction representing the basic... |
| V-28840 | Medium | The operating system must employ strong identification and authentication techniques in the establishment of non-local maintenance and diagnostic sessions. | Non-local maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal... |
| V-28841 | Medium | The operating system must terminate all sessions and network connections when non-local maintenance is completed. | Non-local maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal... |
| V-28842 | Medium | The operating system must audit non-local maintenance and diagnostic sessions. | Non-local maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal... |
| V-28843 | Medium | The operating system must protect non-local maintenance sessions through the use of a strong authenticator tightly bound to the user. | Non-local maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal... |
| V-28963 | Medium | The operating system must protect audit tools from unauthorized deletion. | Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data.
Depending upon the log format and application, system and application log tools may... |
| V-28962 | Medium | The operating system must protect the integrity and availability of publicly available information and applications. | The purpose of this control is to ensure organizations explicitly address the protection needs for public information and applications with such protection likely being implemented as part of... |
| V-28961 | Medium | The operating system must protect audit tools from unauthorized modification. | Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data.
Depending upon the log format and application, system and application log tools may... |
| V-28960 | Medium | The operating system must employ FIPS-validate or NSA-approved cryptography to implement digital signatures. | Cryptography is only as strong as the encryption modules/algorithms employed to encrypt the data.
Use of weak or un-tested encryption algorithms undermines the purposes of utilizing encryption... |
| V-28848 | Medium | The operating system must use cryptographic mechanisms to protect and restrict access to information on portable digital media. | When data is written to portable digital media, such as thumb drives, floppy diskettes, compact disks, and magnetic tape, etc., there is risk of data loss.
An organizational assessment of risk... |
| V-29100 | Medium | The operating system must enforce password complexity by the number of upper case characters used.
| Password complexity or strength is a measure of the effectiveness of a password in resisting guessing and brute-force attacks.
Password complexity is one factor of several that determine how... |
| V-28964 | Medium | The operating system must prohibit remote activation of collaborative computing devices, excluding the organization-defined exceptions where remote activation is to be allowed. | Collaborative computing devices include networked white boards, cameras, and microphones. Collaborative software examples include instant messaging or chat clients. |
| V-30384 | Medium | The operating system must notify, as required, appropriate individuals when accounts are modified. | Monitoring account modification is critical to ensure only appropriate personnel have access to the operating system. This reduces the possibility that an account will be given more access than... |
| V-28822 | Medium | The operating system must require individuals to be authenticated with an individual authenticator prior to using a group authenticator. | To assure individual accountability and prevent unauthorized access, organizational users shall be individually identified and authenticated.
Users (and any processes acting on behalf of users)... |
| V-28824 | Medium | The operating system must use multifactor authentication for network access to non-privileged accounts where one of the factors is provided by a device separate from the operating system being accessed. | Multifactor authentication is defined as using two or more factors to achieve authentication.
Factors include:
(i) something you know (e.g., password/PIN);
(ii) something you have (e.g.,... |
| V-28860 | Medium | The operating system must prevent unauthorized and unintended information transfer via shared system resources. | The purpose of this control is to prevent information, including encrypted representations of information, produced by the actions of a prior user/role (or the actions of a process acting on... |
| V-29107 | Medium | The operating system must produce audit records containing sufficient information to establish the sources of the events. | Operating system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control includes, time stamps, source... |
| V-28996 | Medium | The information system, when operating as part of a distributed, hierarchical namespace, must provide the means to enable verification of a chain of trust among parent and child domains (if the child supports secure resolution services). | This is a resolution issue and is not applicable for operating systems. |
| V-28997 | Medium | The operating system must recognize only system-generated session identifiers. | This requirement focuses on communications protection at the application session, versus network packet level and is not applicable for operating systems. |
| V-28994 | Medium | The information systems that collectively provide name/address resolution service for an operating system must be fault-tolerant.
| This is a resolution issue and is not applicable for operating systems. |
| V-29130 | Medium | The operating system must monitor for atypical usage of operating system accounts.
| Atypical account usage is behavior that is not part of normal usage cycles, e.g., accounts logging in after hours or on weekends. |
| V-30396 | Medium | The operating system must ensure the use of mobile code to be deployed in information systems meets organization-defined mobile code requirements. | This is an application requirement and does not apply to operating systems. |
| V-28993 | Medium | The operating system must take corrective actions, when unauthorized mobile code is identified. | Decisions regarding the employment of mobile code within organizational information systems are based on the potential for the code to cause damage to the system if used maliciously.
Mobile code... |
| V-28991 | Medium | The information system must perform data origin authentication and data integrity verification on all resolution responses received whether or not local client systems explicitly request this service.
| This is a resolution issue and is not applicable for operating systems. |
| V-30386 | Medium | The operating system must notify, as required, appropriate individuals for account termination. | Monitoring account termination is critical to ensure a denial of service situation does not exist on the operating system. An unexpected account termination can also be a sign of a rogue... |
| V-28998 | Medium | The operating system must preserve organization-defined system state information in the event of a system failure. | Failure in a known state can address safety or security in accordance with the mission/business needs of the organization. Failure in a known secure state helps prevent a loss of confidentiality,... |
| V-28999 | Medium | The operating system must employ malicious code protection mechanisms at workstations, servers, or mobile computing devices on the network to detect and eradicate malicious code transported by electronic mail, electronic mail attachments, web accesses, removable media, or other common means. | In order to minimize potential negative impact to the organization that can be caused by malicious code, it is imperative that malicious code is identified and eradicated. Malicious code includes... |
| V-28823 | Medium | The operating system must use multifactor authentication for network access to privileged accounts where one of the factors is provided by a device separate from the information system being accessed. | Multifactor authentication is defined as using two or more factors to achieve authentication.
Factors include:
(i) something you know (e.g., password/PIN);
(ii) something you have (e.g.,... |
| V-29034 | Medium | The operating system must support automated patch management tools to facilitate flaw remediation to organization-defined information system components.
| The organization (including any contractor to the organization) must promptly install security-relevant software updates (e.g., patches, service packs, hot fixes). Flaws discovered during security... |
| V-29079 | Medium | The operating system must protect audit information from unauthorized read access.
| If audit data were to become compromised then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult if not impossible to achieve.
To... |
| V-29076 | Medium | The operating system must check the validity of information inputs.
| Invalid user input occurs when a user inserts data or characters the system is unprepared to process that data. This results in unanticipated behavior that could lead to a compromise. |
| V-29077 | Medium | The operating system must synchronize internal information system clocks on an organization-defined frequency with an organization-defined authoritative time source.
| Determining the correct time a particular application event occurred on a system is critical when conducting forensic analysis and investigating system events.
Synchronization of system clocks... |
| V-29074 | Medium | The operating system, upon successful logon/access, must display to the user the number of unsuccessful logon/access attempts since the last successful logon/access. | Users need to be aware of activity that occurs regarding their account. Providing users with information regarding the number of unsuccessful attempts that were made to login to their account... |
| V-29075 | Medium | The operating system must use internal system clocks to generate time stamps for audit records.
| Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events.
Time stamps generated by the information... |
| V-29072 | Medium | The operating system must provide the capability to automatically process audit records for events of interest based upon selectable, event criteria.
| Audit reduction is used to reduce the volume of audit records in order to facilitate manual review. Before a security review information systems and/or applications with an audit reduction... |
| V-29108 | Medium | The operating system must produce audit records containing sufficient information to establish the outcome (success or failure) of the events. | Operating system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control, includes, for example, time... |
| V-29070 | Medium | The operating system must display the DoD approved system use notification message or banner before granting access to the system. | The operating system is required to display the DoD approved system use notification message or banner before granting access to the system. This ensures all the legal requirements are met as far... |
| V-29071 | Medium | The operating system must retain the notification message or banner on the screen until users take explicit actions to logon for further access. | To establish acceptance of system usage policy, a click-through banner at operating system logon is required. The banner must prevent further activity on the application unless and until the user... |
