UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Operating System Security Requirements Guide



Findings (MAC III - Administrative Public)

Finding ID Severity Title
V-28871 Medium The operating system must route organization-defined internal communications traffic to organization-defined external networks through authenticated proxy servers within the managed interfaces of boundary protection devices.
V-28870 Medium The operating system must prevent remote devices that have established a non-remote connection with the system from communicating outside of the communication path with resources in external networks.
V-28872 Medium The operating system, at managed interfaces, must deny network traffic and must audit internal users (or malicious code) posing a threat to external information systems.
V-29096 Medium The operating system must disable information system functionality that provides the capability for automatic execution of code on mobile devices without user direction.
V-28979 Medium The operating system uniquely must identify destination domains for information transfer.
V-28970 Medium The operating system must validate the integrity of security attributes exchanged between systems.
V-28971 Medium The operating system must issue or obtain public key certificates under an appropriate certificate policy from an approved service provider.
V-28972 Medium The operating system must implement detection and inspection mechanisms to identify unauthorized mobile code.
V-28973 Medium The operating system must ensure the development of mobile code to be deployed in information systems meets organization-defined mobile code requirements.
V-28974 Medium The operating system must limit privileges to change software resident within software libraries (including privileged programs).
V-28975 Medium The operating system must prevent the download of prohibited mobile code.
V-28976 Medium The operating system must automatically implement organization-defined safeguards and countermeasures if security functions (or mechanisms) are changed inappropriately.
V-29083 Medium The operating system must protect audit information from unauthorized deletion.
V-29082 Medium The operating system must initiate a session lock after the organization-defined time period of inactivity.
V-29081 Medium The operating system must protect audit information from unauthorized modification.
V-29080 Medium The operating system must retain the session lock until the user reestablishes access using established identification and authentication procedures.
V-29087 Medium The operating system session lock mechanism, when activated on a device with a display screen, must place a publicly viewable pattern onto the associated display, hiding what was previously visible on the screen.
V-29086 Medium The operating system must protect against an individual falsely denying having performed a particular action.
V-29085 Medium The operating system must provide the capability for users to directly initiate session lock mechanisms.
V-29084 Medium The operating system must produce audit records on hardware-enforced, write-once media.
V-29089 Medium The operating system must employ automated mechanisms to facilitate the monitoring and control of remote access methods.
V-29088 Medium The operating system must provide audit record generation capability for the auditable events defined in at the organizational level for the organization-defined information system components.
V-28989 Medium The operating system must enforce password complexity by the number of special characters used.
V-28769 Medium The operating system must provide automated support for account management functions.
V-28988 Medium The information system must perform data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources when requested by client systems.
V-29078 Medium The operating system must limit the number of concurrent sessions for each account to an organization-defined number of sessions.
V-28820 Medium The operating system must use multifactor authentication for local access to privileged accounts.
V-29009 Medium The operating system must verify the correct operation of security functions in accordance with organization-defined conditions and in accordance with organization-defined frequency (if periodic verification).
V-29008 Medium The operating system must generate a unique session identifier for each session.
V-29003 Medium The operating system must analyze outbound communications traffic at selected interior points within the system (e.g., subnets, subsystems), as deemed necessary, to discover anomalies.
V-29002 Medium The operating system must provide mechanisms to protect the authenticity of communications sessions.
V-29001 Medium The operating system must take organization-defined list of least disruptive actions to terminate suspicious events.
V-29000 Medium The information systems collectively must provide name/address resolution service for an operating system implement internal/external role separation.
V-29007 Medium The operating system must employ a wireless intrusion detection system to detect potential compromises/breaches to the information system.
V-29006 Medium The information system must provide a readily observable logout capability whenever authentication is used to gain access to web pages.
V-29005 Medium The operating system must employ a wireless intrusion detection system to detect attack attempts to the information system.
V-29004 Medium The operating system must invalidate session identifiers upon user logout or other session termination.
V-28787 Medium The operating system must employ automated mechanisms to enforce access restrictions.
V-28786 Medium The operating system must enforce logical access restrictions associated with changes to the information system.
V-28785 Medium The operating system must provide the capability for a privileged administrator to configure organization-defined security policy filters to support different security policies.
V-28783 Medium The operating system must track problems associated with the security attribute binding.
V-28782 Medium The operating system must bind security attributes to information to facilitate information flow policy enforcement.
V-28781 Medium The operating system must enforce security policies regarding information on interconnected systems.
V-28780 Medium The operating system, when transferring information between different security domains, must decompose information into policy-relevant subcomponents for submission to policy enforcement mechanisms.
V-28866 Medium The operating system must monitor and control communications at the external boundary of the information system and at key internal boundaries within the system.
V-28864 Medium The operating system must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of Denial of Service attacks.
V-28865 Medium The operating system must limit the use of resources by priority.
V-28862 Medium The operating system must protect against or must limit the effects of the organization-defined or referenced types of Denial of Service attacks.
V-28863 Medium The operating system must restrict the ability of users to launch Denial of Service attacks against other information systems or networks.
V-28789 Medium The operating system must employ automated mechanisms to support auditing of the enforcement actions.
V-28861 Medium The operating system must not share resources used to interface with systems operating at different security levels.
V-29090 Medium The operating system must allow designated organizational personnel to select which auditable events are to be audited by the operating system.
V-29091 Medium The operating system must generate audit records for the selected list of auditable events as defined in DoD list of events.
V-29092 Medium The operating system must use cryptography to protect the confidentiality of remote access sessions.
V-29093 Medium The operating system must support the capability to compile audit records from multiple components within the system into a system-wide (logical or physical) audit trail that is time-correlated to within organization-defined level of tolerance.
V-29094 Medium The operating system must monitor for unauthorized connections of mobile devices to organizational information systems.
V-29095 Medium The operating system, for PKI-based authentication must validate certificates by constructing a certification path with status information to an accepted trust anchor.
V-28978 Medium The operating system must prevent the automatic execution of mobile code in organization-defined software applications and must require organization-defined actions prior to executing the code.
V-29097 Medium The operating system, for PKI-based authentication must enforce authorized access to the corresponding private key.
V-29098 Medium The operating system, for PKI-based authentication must map the authenticated identity to the user account.
V-29099 Medium The operating system must employ automated mechanisms to enable authorized users to make information sharing decisions based on access authorizations of sharing partners and access restrictions on information to be shared.
V-28828 Medium The operating system must authenticate devices before establishing remote network connections using bidirectional cryptographically based authentication between devices.
V-28980 Medium The operating system uniquely must authenticate destination domains for information transfer.
V-28778 Medium The operating system must enforce approved authorizations for logical access to the system in accordance with applicable policy.
V-28779 Medium The operating system, when transferring information between different security domains, must identify information flows by data type specification and usage.
V-28773 Medium The operating system must automatically disable inactive accounts after an organization-defined time period.
V-28770 Medium The operating system must automatically terminate temporary accounts after an organization-defined time period for each type of account.
V-28776 Medium The operating system must enforce minimum password length.
V-28777 Medium The operating system must obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.
V-28774 Medium The operating system must enforce maximum password lifetime restrictions.
V-28775 Medium The operating system must prohibit password reuse for the organization-defined number of generations.
V-29018 Medium The information system must include components proactively seeking to identify web-based malicious code.
V-29019 Medium The operating system must protect the confidentiality and integrity of information at rest.
V-28966 Medium The operating system must block both inbound and outbound traffic between instant messaging clients, independently configured by end users and external service providers.
V-29010 Medium The operating system must generate unique session identifiers with organization-defined randomness requirements.
V-29011 Medium The operating system must provide notification of failed automated security tests.
V-29012 Medium The operating system must fail to an organization-defined known-state for organization-defined types of failures.
V-29013 Medium The operating system must provide automated support for the management of distributed security testing.
V-29014 Medium The operating system must respond to security function anomalies in accordance with organization-defined responses and alternative action(s).
V-29015 Medium The operating system must employ malicious code protection mechanisms at workstations, servers, or mobile computing devices on the network to detect and take action on unsolicited messages transported by electronic mail, electronic mail attachments, web access, removable media, or other common means.
V-29016 Medium The operating system must detect unauthorized changes to software and information.
V-28794 Medium The operating system must employ automated mechanisms to centrally apply configuration settings.
V-28796 Medium The operating system must employ automated mechanisms to centrally verify configuration settings.
V-28818 Medium The operating system must enforce dual authorization, based on organizational policies and procedures for organization-defined privileged commands.
V-28790 Medium The operating system must prevent the installation of organization-defined critical software programs that are not signed with a certificate that is recognized and approved by the organization.
V-28792 Medium The operating system must support the requirement to automatically audit on account creation.
V-28793 Medium The operating system must enforce a two-person rule for changes to organization-defined information system components and system-level information.
V-28813 Medium The operating system must use multifactor authentication for network access to privileged accounts.
V-28812 Medium The operating system must uniquely identify and must authenticate organizational users (or processes acting on behalf of organizational users).
V-30397 Medium The operating system must enforce password complexity by the number of numeric characters used.
V-28810 Medium The operating system must implement transaction recovery for transaction-based systems.
V-30391 Medium The operating system must route all remote accesses through managed access control points.
V-28925 Medium The operating system must terminate the network connection associated with a communications session at the end of the session or after an organization-defined time period of inactivity.
V-30393 Medium The operating system must disable network access by components/devices or notifies designated organizational officials.
V-30392 Medium The operating system must monitor for unauthorized remote connections to the information system on an organization-defined frequency.
V-28948 Medium The operating system must ensure remote sessions for accessing an organization-defined list of security functions and security-relevant information are audited.
V-29032 Medium The operating system must employ automated mechanisms or must have an application installed that on an organization-defined frequency determines the state of information system components with regard to flaw remediation.
V-28836 Medium The operating system must employ automated mechanisms to assist in the tracking of security incidents.
V-28827 Medium The operating system must uniquely identify and authenticate an organization-defined list of specific and/or types of devices before establishing a connection.
V-29025 Medium The operating system must update spam protection mechanisms (including signature definitions) when new releases are available in accordance with organizational configuration management policy and procedures.
V-29024 Medium The operating system must employ malicious code protection mechanisms at operating system entry and exit points to detect and take action on unsolicited messages transported by electronic mail, electronic mail attachments, web accesses, removable media or other common means.
V-29027 Medium The operating system must enforce one or more organization-defined nondiscretionary access control policies over an organization-defined set of users and resources.
V-29026 Medium The information system must automatically update spam protection mechanisms (including signature definitions).
V-29021 Medium The operating system at organization-defined information system components must load and execute the operating environment from hardware-enforced, read-only media.
V-29020 Medium The operating system must protect the integrity of information during the processes of data aggregation, packaging, and transformation in preparation for transmission.
V-29023 Medium The operating system at organization-defined information system components must load and execute organization-defined applications from hardware-enforced, read-only media.
V-28834 Medium The operating system must uniquely identify and must authenticate non-organizational users (or processes acting on behalf of non-organizational users).
V-29029 Medium The operating system must employ organization-defined information system components with no writeable storage that are persistent across component restart or power on/off.
V-28837 Medium The operating system must check all media containing diagnostic and test programs for malicious code before the media can be used in the information system.
V-28908 Medium The operating system must automatically audit account modification.
V-28945 Medium The operating system must make provisions so encrypted traffic is visible to information system monitoring tools.
V-28947 Medium The operating system must analyze outbound communications traffic at the external boundary of the system (i.e., system perimeter).
V-28946 Medium The operating system must use cryptography to protect the integrity of remote access sessions.
V-28941 Medium The operating system must enforce the organization-defined time period during which the limit of consecutive invalid access attempts by a user is counted.
V-28943 Medium The operating system must implement required cryptographic protections using cryptographic modules that comply with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
V-28942 Medium The operating system must protect information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion.
V-28831 Medium The operating system must manage information system identifiers for users and devices by disabling the user identifier after an organization-defined time period of inactivity.
V-28821 Medium The operating system must use multifactor authentication for local access to non-privileged accounts.
V-29142 Medium The operating system must provide additional protection for mobile devices accessed via login by purging information from the device after organization-defined number of consecutive, unsuccessful login attempts to the mobile device.
V-29143 Medium The operating system for publicly accessible systems must display the system use information when appropriate, before granting further access.
V-29140 Medium The operating system must uniquely identify source domains for information transfer.
V-29141 Medium The operating system must uniquely authenticate source domains for information transfer.
V-28927 Medium The operating system must maintain the binding of security attributes to information with sufficient assurance that the information--attribute association can be used as the basis for automated policy actions.
V-28926 Medium The operating system must provide a near real-time alert when any of the organization-defined list of compromise or potential compromise indicators occurs.
V-30388 Medium The operating system must employ automated mechanisms to centrally manage configuration settings.
V-30389 Medium The operating system must employ cryptographic mechanisms to prevent unauthorized disclosure of information at rest unless otherwise protected by alternative physical measures.
V-28923 Medium The operating system must monitor inbound and outbound communications for unusual or unauthorized activities or conditions.
V-28921 Medium The operating system must maintain the confidentiality of information during aggregation, packaging, and transformation in preparation for transmission.
V-28920 Medium The organization must interconnect and configure individual intrusion detection tools into a system-wide intrusion detection system using common protocols.
V-30382 Medium The operating system must automatically terminate emergency accounts after an organization-defined time period for each type of account.
V-28801 Medium The operating system must be configured to provide essential capabilities.
V-28802 Medium The operating system must configure the information system to specifically prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services.
V-30381 Medium The operating system must enforce requirements for the connection of mobile devices to operating systems.
V-28804 Medium The operating system must employ automated mechanisms, per organization-defined frequency, to detect the addition of unauthorized components/devices into the operating system.
V-28805 Medium The operating system must dynamically manage user privileges and associated access authorizations.
V-28806 Medium The operating system must conduct backups of user-level information contained in the operating system per organization-defined frequency to conduct backups consistent with recovery time and recovery point objectives.
V-28807 Medium The operating system must conduct backups of system-level information contained in the information system per organization-defined frequency to conduct backups that are consistent with recovery time and recovery point objectives.
V-28929 Medium The operating system must establish a trusted communications path between the user and organization-defined security functions within the operating system.
V-28803 Medium The operating system must employ automated mechanisms to prevent program execution in accordance with the organization defined specifications.
V-28830 Medium The operating system must authenticate devices before establishing network connections using bidirectional cryptographically based authentication between devices.
V-30385 Medium The operating system must notify, as required, appropriate individuals when account is disabled.
V-28893 Medium The operating system must notify the user of the number of unsuccessful login/access attempts that occur during organization-defined time period.
V-28892 Medium The operating system must implement host-based boundary protection mechanisms for servers, workstations, and mobile devices.
V-28891 Medium The operating system must notify the user of the number of successful logins/accesses that occur during the organization-defined time period.
V-28890 Medium The operating system must check incoming communications to ensure the communications are coming from an authorized source and routed to an authorized destination.
V-29036 Medium The operating system must have malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code transported by electronic mail, electronic mail attachments, web accesses, removable media, or other common means.
V-28896 Medium The operating system must route all networked, privileged accesses through a dedicated, managed interface for purposes of access control and auditing.
V-28895 Medium The operating system must notify the user of organization-defined security-related changes to the user’s account that occur during the organization-defined time period.
V-28894 Medium The operating system must isolate organization-defined key information security tools, mechanisms, and support components from other internal information system components via physically separate subnets with managed interfaces to other portions of the system.
V-28899 Medium The operating system must prevent non-privileged users from circumventing malicious code protection capabilities.
V-28898 Medium The operating system must prevent discovery of specific system components (or devices) composing a managed interface.
V-28838 Medium The operating system must employ automated mechanisms to restrict the use of maintenance tools to authorized personnel only.
V-28952 Medium The operating system must employ FIPS-validated cryptography to protect unclassified information.
V-28953 Medium The operating system must employ NSA-approved cryptography to protect classified information.
V-29139 Medium The operating system, when transferring information between different security domains, must prohibit the transfer of unsanctioned information in accordance with the security policy.
V-29138 Medium The operating system, when transferring information between different security domains, must detect unsanctioned information.
V-28956 Medium The operating system must provide the capability to remotely view/hear all content related to an established user session in real time.
V-28957 Medium The operating system must initiate session audits at system start-up.
V-28954 Medium The operating system must provide the capability to capture/record and log all content related to a user session.
V-28955 Medium The operating system must employ FIPS-validated cryptography to protect information when it must be separated from individuals who have the necessary clearances, yet lack the necessary access approvals.
V-28958 Medium The operating system must produce audit records containing sufficient information to establish the identity of any user/subject associated with the event.
V-28959 Medium The operating system must protect audit tools from unauthorized access.
V-29137 Medium The operating system, when transferring information between different security domains, must implement policy filters constraining data structure and content to organization-defined information security policy requirements.
V-29135 Medium The operating system must enforce approved authorizations for controlling the flow of information within the system in accordance with applicable policy.
V-29134 Medium The operating system must enforce an organization-defined Discretionary Access Control (DAC) policy that must allow users to specify and control sharing by named individuals or groups of individuals, or by both.
V-28934 Medium The operating system must produce, control, and distribute symmetric and asymmetric cryptographic keys using NSA-approved key management technology and processes.
V-28935 Medium The operating system must disable the use of organization-defined networking protocols within the operating system deemed to be nonsecure except for explicitly identified components in support of specific operational requirements.
V-28936 Medium The operating system must produce, control, and distribute asymmetric cryptographic keys using approved PKI Class 3 certificates or prepositioned keying material.
V-28937 Medium The operating system must prevent non-privileged users from circumventing intrusion detection and prevention capabilities.
V-28930 Medium The operating system must only allow authorized users to associate security attributes with information.
V-28931 Medium The operating system must produce, control, and distribute symmetric cryptographic keys using NIST-approved or NSA-approved key management technology and processes.
V-28932 Medium The operating system must display security attributes in human-readable form on each object output from the system to system output devices to identify an organization-identified set of special dissemination, handling, or distribution instructions using organization-identified human readable, standard naming conventions.
V-28938 Medium The operating system must notify an organization-defined list of incident response personnel (identified by name and/or by role) of suspicious events.
V-28819 Medium The operating system must use multifactor authentication for network access to non-privileged accounts.
V-28832 Medium The operating system must dynamically manage identifiers, attributes, and associated access authorizations.
V-28829 Medium The operating system must authenticate devices before establishing wireless network connections using bidirectional cryptographically based authentication between devices.
V-30377 Medium The operating system must enforce a Discretionary Access Control (DAC) policy that limits propagation of access rights.
V-30376 Medium The operating system must prevent the execution of prohibited mobile code.
V-30375 Medium The operating system must ensure the acquisition of mobile code to be deployed in information systems meets organization-defined mobile code requirements.
V-28885 Medium The operating system must enforce the number of characters changed when passwords are changed.
V-28887 Medium The operating system must enforce password encryption for storage.
V-28888 Medium The operating system must enforce password encryption for transmission.
V-28889 Medium The operating system must enforce minimum password lifetime restrictions.
V-30379 Medium The operating system must protect wireless access to the system using authentication.
V-30378 Medium The operating system must enforce a Discretionary Access Control (DAC) policy that includes or excludes access to the granularity of a single user.
V-29128 Medium The operating system must protect the audit records resulting from non-local accesses to privileged accounts and the execution of privileged functions.
V-30395 Medium The operating system must protect against unauthorized physical connections across the boundary protections implemented at an organization-defined list of managed interfaces.
V-29045 Medium The operating system must address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system.
V-29044 Medium The operating system must configure malicious code protection mechanisms to perform organization-defined action(s) in response to malicious code detection.
V-29042 Medium The operating system must configure malicious code protection mechanisms to perform real-time scans of files from external sources as the files are downloaded, opened, or executed in accordance with organizational security policy.
V-29041 Medium The operating system must enforce dynamic information flow control based on policy that must allow or disallow information flows based upon changing conditions or operational considerations.
V-29040 Medium The operating system must configure malicious code protection mechanisms to perform periodic scans of the information system on an organization-defined frequency.
V-29120 Medium The operating system must validate the binding of the information producer’s identity to the information.
V-29121 Medium The operating system must maintain reviewer/releaser identity and credentials within the established chain of custody for all information reviewed or released.
V-30383 Medium The operating system must notify, as required, appropriate individuals when accounts are created.
V-29124 Medium The operating system must invoke a system shutdown in the event of an audit failure, unless an alternative audit capability exists.
V-28811 Medium The operating system must enforce explicit rules governing the installation of software by users.
V-29126 Medium The operating system must back up audit records on an organization-defined frequency onto a different system or media than the system being audited.
V-29048 Medium The operating system must automatically update malicious code protection mechanisms, including signature definitions.
V-28901 Medium The operating system must update malicious code protection mechanisms only when directed by a privileged user.
V-28900 Medium The operating system must support and maintain the binding of organization-defined security attributes to information in storage.
V-28903 Medium The operating system must support and maintain the binding of organization-defined security attributes to information in process.
V-28902 Medium The operating system must employ automated mechanisms to enforce strict adherence to protocol format.
V-28905 Medium The operating system must fail securely in the event of an operational failure of a boundary protection device.
V-28904 Medium The operating system must not allow users to introduce removable media into the information system.
V-28907 Medium The operating system must protect the integrity of transmitted information.
V-28906 Medium The operating system must support and maintain the binding of organization-defined security attributes to information in transmission.
V-28909 Medium The operating system must automatically audit account disabling actions.
V-28798 Medium The operating system must employ automated mechanisms to respond to unauthorized changes to organization-defined configuration settings.
V-29030 Medium The operating system must prevent access to organization-defined security-relevant information except during secure, non-operable system states.
V-30390 Medium The operating system must enforce requirements for remote connections to the information system.
V-28825 Medium The operating system must use organization-defined replay-resistant authentication mechanisms for network access to privileged accounts.
V-29031 Medium The operating system must install software update automatically.
V-28859 Medium The operating system must implement security functions as a layered structure minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers.
V-29129 Medium The operating system must produce a system-wide (logical or physical) audit trail composed of audit records in a standardized format.
V-30380 Medium The operating system must protect wireless access to the system using encryption.
V-28992 Medium The operating system must protect non-local maintenance sessions by separating the maintenance session from other network sessions with the information system by either physically separated communications paths or logically separated communications paths.
V-29073 Medium The operating system, upon successful logon, must display to the user the date and time of the last logon (access).
V-29122 Medium The operating system must validate the binding of the reviewer’s identity to the information at the transfer/release point prior to release/transfer from one security domain to another security domain.
V-29037 Medium The operating system must enforce information flow control using protected processing domains (e.g., domain type-enforcement) as a basis for flow control decisions.
V-29117 Medium The operating system must reveal error messages only to authorized personnel.
V-29111 Medium The operating system must allocate audit record storage capacity.
V-29110 Medium The operating system must support the requirement to centrally manage the content of audit records generated by organization-defined information system components.
V-29113 Medium The operating system must alert designated organizational officials in the event of an audit processing failure.
V-29112 Medium The operating system must configure auditing to reduce the likelihood of storage capacity being exceeded.
V-29038 Medium The operating system must update malicious code protection mechanisms (including signature definitions) whenever new releases are available in accordance with organizational configuration management policy and procedures.
V-29035 Medium The operating system must enforce information flow control using explicit security attributes on information, source, and destination objects as a basis for flow control decisions.
V-29119 Medium The operating system must associate the identity of the information producer with the information.
V-29118 Medium The operating system must support the requirement that organizations, if an information system component failure is detected must activate an organization-defined alarm and/or automatically shuts down the operating system.
V-29125 Medium The operating system must employ automated mechanisms to alert security personnel of any organization-defined inappropriate or unusual activities with security implications.
V-28835 Medium The operating system must implement a configurable capability to automatically disable the operating system if any of the organization-defined lists of security violations are detected.
V-29055 Medium The operating system must enforce information flow control using organization-defined security policy filters as a basis for flow control decisions.
V-29056 Medium The operating system must provide the capability for a privileged administrator to enable/disable organization-defined security policy filters.
V-29057 Medium The operating system must provide the capability for a privileged administrator to configure the organization-defined security policy filters to support different security policies.
V-29050 Medium The operating system must enforce organization-defined limitations on the embedding of data types within other data types.
V-29051 Medium The operating system must enforce information flow control on metadata.
V-28833 Medium The operating system must use mechanisms for authentication to a cryptographic module meeting the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.
V-29053 Medium The operating system must support organization-defined one-way flows using hardware mechanisms.
V-29127 Medium The operating system must use cryptographic mechanisms to protect the integrity of audit information.
V-29058 Medium The operating system must take organization-defined actions upon audit failure (e.g., shut down information system, overwrite oldest audit records, stop generating audit records).
V-29059 Medium The operating system must implement separation of duties through assigned information system access authorizations.
V-28857 Medium The operating system must implement an information system isolation boundary to minimize the number of non-security functions included within the boundary containing security functions.
V-28856 Medium The operating system must isolate security functions enforcing access and information flow control from both non-security functions and from other security functions.
V-28855 Medium The operating system must isolate security functions from nonsecurity functions.
V-28854 Medium The operating system must prevent the presentation of information system management-related functionality at an interface for general (i.e., non-privileged) users.
V-28853 Medium The operating system must separate user functionality (including user interface services) from operating system management functionality.
V-28852 Medium The operating system must employ cryptographic mechanisms to protect information in storage.
V-28918 Medium The operating system must employ cryptographic mechanisms to prevent unauthorized disclosure of information during transmission unless otherwise protected by alternative physical measures.
V-28919 Medium The operating system must only allow authorized entities to change security attributes.
V-28916 Medium The operating system must dynamically reconfigure security attributes in accordance with an identified security policy as information is created and combined.
V-28914 Medium The operating system must enforce approved authorizations for controlling the flow of information between interconnected systems in accordance with applicable policy.
V-28915 Medium The operating system must protect the confidentiality of transmitted information.
V-28912 Medium The operating system must maintain the integrity of information during aggregation, packaging, and transformation in preparation for transmission.
V-28913 Medium The operating system must automatically audit account termination.
V-28910 Medium The operating system must employ cryptographic mechanisms to recognize changes to information during transmission unless otherwise protected by alternative physical measures.
V-28939 Medium The operating system must produce, control, and distribute asymmetric cryptographic keys using approved PKI Class 3 or Class 4 certificates and hardware security tokens that protect the user’s private key.
V-30387 Medium The operating system must use cryptographic mechanisms to protect the integrity of audit tools.
V-28882 Medium The operating system must connect to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.
V-28869 Medium The operating system at managed interfaces must deny network traffic by default and must allow network traffic by exception (i.e., deny all, permit by exception).
V-29102 Medium The operating system must enforce password complexity by the number of lower case characters used.
V-29103 Medium The operating system must produce audit records containing sufficient information to establish what type of events occurred.
V-29046 Medium The operating system must prevent encrypted data from bypassing content checking mechanisms.
V-29101 Medium The operating system must identify potentially security-relevant error conditions.
V-29106 Medium The operating system must produce audit records containing sufficient information to establish where the events occurred.
V-28868 Medium The operating system must prevent public access into an organization’s internal networks, except as appropriately mediated by managed interfaces employing boundary protection devices.
V-29104 Medium The operating system must generate error messages providing information necessary for corrective actions without revealing organization-defined sensitive or potentially harmful information in error logs and administrative messages that could be exploited.
V-29105 Medium The operating system must produce audit records containing sufficient information to establish when (date and time) the events occurred.
V-30394 Medium The operating system must employ automated mechanisms to detect the presence of unauthorized software on organizational information systems and notify designated organizational officials in accordance with the organization-defined frequency.
V-28809 Medium The operating system must conduct backups of operating system documentation including security-related documentation per organization-defined frequency to conduct backups that is consistent with recovery time and recovery point objectives.
V-29109 Medium The operating system must include organization-defined additional, more detailed information in the audit records for audit events identified by type, location, or subject.
V-28826 Medium The operating system must use organization-defined replay-resistant authentication mechanisms for network access to non-privileged accounts.
V-29061 Medium The operating system must provide a real-time alert when organization-defined audit failure events occur.
V-29060 Medium The operating system must provide a warning when allocated audit record storage volume reaches an organization-defined percentage of maximum audit record storage capacity.
V-29063 Medium The operating system must audit any use of privileged accounts, or roles, with access to organization-defined security functions or security-relevant information, when accessing other system functions.
V-29062 Medium The information system must enforce configurable traffic volume thresholds representing auditing capacity for network traffic.
V-29065 Medium The operating system must enforce the organization-defined limit of consecutive invalid access attempts by a user during the organization-defined time period.
V-29064 Medium To support audit review, analysis, and reporting the operating system must integrate audit review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities.
V-29067 Medium The operating system must support an audit reduction capability.
V-29066 Medium Operating system must support the capability to centralize the review and analysis of audit records from multiple components within the system.
V-29069 Medium The operating system audit records must be able to be used by a report generation capability.
V-29068 Medium The operating system, when the maximum number of unsuccessful attempts is exceeded, must automatically lock the account for an organization-defined time period or must lock the account until released by an administrator IAW organizational policy.
V-28983 Medium The information system must provide additional data origin and integrity artifacts along with the authoritative data the system returns in response to name/address resolution queries.
V-28982 Medium The operating system must track problems associated with the information transfer.
V-28985 Medium The operating system, when operating as part of a distributed, hierarchical namespace, must provide the means to indicate the security status of child subspaces and (if the child supports secure resolution services) enable verification of a chain of trust.
V-28984 Medium The information system must reject or delay, as defined by the organization, network traffic generated above configurable traffic volume thresholds.
V-28987 Medium The operating system must ensure unauthorized, security-relevant configuration changes detected are tracked.
V-28844 Medium The operating system must employ cryptographic mechanisms to protect the integrity and confidentiality of non-local maintenance and diagnostic communications.
V-28969 Medium The operating system must associate security attributes with information exchanged between information systems.
V-28840 Medium The operating system must employ strong identification and authentication techniques in the establishment of non-local maintenance and diagnostic sessions.
V-28841 Medium The operating system must terminate all sessions and network connections when non-local maintenance is completed.
V-28842 Medium The operating system must audit non-local maintenance and diagnostic sessions.
V-28843 Medium The operating system must protect non-local maintenance sessions through the use of a strong authenticator tightly bound to the user.
V-28963 Medium The operating system must protect audit tools from unauthorized deletion.
V-28962 Medium The operating system must protect the integrity and availability of publicly available information and applications.
V-28961 Medium The operating system must protect audit tools from unauthorized modification.
V-28960 Medium The operating system must employ FIPS-validate or NSA-approved cryptography to implement digital signatures.
V-28848 Medium The operating system must use cryptographic mechanisms to protect and restrict access to information on portable digital media.
V-29100 Medium The operating system must enforce password complexity by the number of upper case characters used.
V-28964 Medium The operating system must prohibit remote activation of collaborative computing devices, excluding the organization-defined exceptions where remote activation is to be allowed.
V-30384 Medium The operating system must notify, as required, appropriate individuals when accounts are modified.
V-28822 Medium The operating system must require individuals to be authenticated with an individual authenticator prior to using a group authenticator.
V-28824 Medium The operating system must use multifactor authentication for network access to non-privileged accounts where one of the factors is provided by a device separate from the operating system being accessed.
V-28860 Medium The operating system must prevent unauthorized and unintended information transfer via shared system resources.
V-29107 Medium The operating system must produce audit records containing sufficient information to establish the sources of the events.
V-28996 Medium The information system, when operating as part of a distributed, hierarchical namespace, must provide the means to enable verification of a chain of trust among parent and child domains (if the child supports secure resolution services).
V-28997 Medium The operating system must recognize only system-generated session identifiers.
V-28994 Medium The information systems that collectively provide name/address resolution service for an operating system must be fault-tolerant.
V-29130 Medium The operating system must monitor for atypical usage of operating system accounts.
V-30396 Medium The operating system must ensure the use of mobile code to be deployed in information systems meets organization-defined mobile code requirements.
V-28993 Medium The operating system must take corrective actions, when unauthorized mobile code is identified.
V-28991 Medium The information system must perform data origin authentication and data integrity verification on all resolution responses received whether or not local client systems explicitly request this service.
V-30386 Medium The operating system must notify, as required, appropriate individuals for account termination.
V-28998 Medium The operating system must preserve organization-defined system state information in the event of a system failure.
V-28999 Medium The operating system must employ malicious code protection mechanisms at workstations, servers, or mobile computing devices on the network to detect and eradicate malicious code transported by electronic mail, electronic mail attachments, web accesses, removable media, or other common means.
V-28823 Medium The operating system must use multifactor authentication for network access to privileged accounts where one of the factors is provided by a device separate from the information system being accessed.
V-29034 Medium The operating system must support automated patch management tools to facilitate flaw remediation to organization-defined information system components.
V-29079 Medium The operating system must protect audit information from unauthorized read access.
V-29076 Medium The operating system must check the validity of information inputs.
V-29077 Medium The operating system must synchronize internal information system clocks on an organization-defined frequency with an organization-defined authoritative time source.
V-29074 Medium The operating system, upon successful logon/access, must display to the user the number of unsuccessful logon/access attempts since the last successful logon/access.
V-29075 Medium The operating system must use internal system clocks to generate time stamps for audit records.
V-29072 Medium The operating system must provide the capability to automatically process audit records for events of interest based upon selectable, event criteria.
V-29108 Medium The operating system must produce audit records containing sufficient information to establish the outcome (success or failure) of the events.
V-29070 Medium The operating system must display the DoD approved system use notification message or banner before granting access to the system.
V-29071 Medium The operating system must retain the notification message or banner on the screen until users take explicit actions to logon for further access.