| V-18836 | High | If a policy assessment server or service is used as part of an automated access control decision point (for authentication and authorization of unmanaged remote endpoints to the network), the remote access solution must include the minimum required policy assessment checks for unmanaged devices prior to allowing remote access to the network. | Automated policy assessment must validate the organization's minimum security requirements so entry control decisions do not put the organization at risk because of a compromised remote device.... |
| V-18855 | High | Remote access to perform privileged or network management tasks must employ endpoint devices that are controlled (documented), managed (e.g., use a transient NAC agent), and kept updated and compliant with applicable DoD security policies. | If endpoint devices used to access restricted networks and systems are not compliant with security policies and able to pass policy assessment then privileged information and systems may be at... |
| V-18851 | High | The DAA will approve all remote access connections that bypass the policy enforcment/assessment solution. | Remote access connections that bypass established security controls should be only in cases of administrative need. These procedures and use cases must be approved by the DAA. |
| V-19830 | High | Ensure the classified or sensitive information is transmitted over approved communications systems or non-DoD systems, and an NSA Type 1 certified remote access security solution is in place for remote access to a classified network and is only used from an approved location. | Failure to use approved communications equipment and security measure can lead to unauthorized disclosure, loss, or compromise of classified information.
|
| V-19834 | High | Ensure remote access for privileged tasks such as network devices, host, or application administration is compliant. | If remote access is used to connect to a network or host for privileged access, stringent security controls will be implemented. AAA network security services provide the primary framework... |
| V-19151 | High | Ensure an NSA certified remote access security solution (e.g., HARA) is used for remote access to a classified network and will only be used from an approved location.
| Use of improperly configured or lower assurance equipment and solutions could compromise high value information. |
| V-18837 | Medium | Ensure that for unmanaged client endpoints, the system must automatically scan the device once it has connected to the physical network but before giving access to the trusted internal LAN. | Unmanaged devices that are not controlled or configured by DoD should not be used on the network. Contractor and partner equipment must also comply with DoD endpoint configuration requirements and... |
| V-18835 | Medium | Configure the devices and servers in the network access control solution (e.g., NAC, assessment server, policy decision point) so they do not communicate with other network devices in the DMZ or subnet except as needed to perform a remote access client assessment or to identify itself. | Since the network access control devices and servers should have no legitimate reason for communicating with other devices outside of the assessment solution, any direct communication with... |
| V-18853 | Medium | Endpoints accessing the remediation server will not have access to other network resources that are not part of the remediation process. | This type of access could permit an unauthorized endpoint onto the network. Depending on the critical nature of the authorization failure (e.g., virus detected) this type of access could place the... |
| V-19152 | Medium | Endpoints accessing the classified network will be Government owned/leased equipment and protected to the classification level of the data that the device is able to access. | Equipment owned or controlled by non-DoD entities may contain malware or other vulnerabilities which may present a danger to the network. |
| V-19150 | Medium | Remote/telework endpoints not capable (e.g., lacks enough memory or resources) of meeting the compliance requirements for anti-virus, firewall, and web browser configuration will not be permitted access to the DoD network. | If the client is incapable of employing critical security protections then allowing access to that devices could expose the network to potentially significant risk. |
| V-18852 | Medium | For networks which do not allow unmanaged devices, remote endpoints that fail the device authentication check will not proceed with the policy assessment checks (authorization checks) and remote access will be denied. | Devices that fail authentication are not permitted on the network. These devices may contain malware or content which is harmful to the enclave. |
| V-18590 | Medium | Ensure a remote access security policy manager is used to manage the security policy on devices used for remote network connection or remote access. | A centralized policy manager provides a consistent security policy, particularly in environments with multiple remote access devices such as multiple VPNs or RAS devices. This is a best practice... |
| V-18680 | Medium | If a policy assessment server or service is used as part of an automated access control decision point (to accept non-DoD owned and/or managed remote endpoints to the network), only devices that are both authenticated to the network and compliant with network policies are allowed access. | In this STIG, a managed device is defined as a device that has installed software (i.e. an agent) that allows the device to be managed and queried from a remote server. Thus, an unmanaged device... |
| V-18536 | Medium | Ensure unused management interfaces, ports, protocols, and services are removed or disabled on devices providing remote access services to remote users. | When services, ports, and protocols are enabled by default or are not regularly used, SAs can neglect to secure or updates them. These services can then become a path for exploitation since they... |
| V-18535 | Medium | Ensure the use a vendor-supported version of the remote access server, remote access policy server, NAC appliance, VPN, and/or communications server software. | Unsupported versions will lack security enhancements as well as support provided by the vendors to address vulnerabilities. The system administrator must monitor IAVM, OS, or OEM patch or... |
| V-19833 | Medium | Ensure the remote access server (RAS) is located in a dual homed screened subnet. | Without a screened subnet architecture traffic that would be normally destined for the DMZ would have to be redirected to the site's internal network. This would allow for a greater opportunity... |
| V-19832 | Medium | Ensure the traffic for remote access network devices (e.g., RAS, NAC, VPN) is inspected by the network firewall and IDS/IPS using an approved architecture. | The incorrect placement of the external NIDS may allow unauthorized access to go undetected and limit the ability of security personnel to stop malicious or unauthorized use of the network. Use of... |
| V-18847 | Medium | If the device requesting remote network access fails the network policy assessment tests, then the policy server will communicate with the remote access device (e.g., VPN gateway or RAS) to perform an approved action based on the requirements of this policy.
| If a device fails the sites approved security policy assessment test, then it may contain compromised data. Using a VLAN to keep trusted and untrusted traffic safe his kept separated while the... |
| V-18844 | Medium | The policy assessment/enforcement device will be configured to use a separate authentication server (e.g., IAS, Active Directory, RADIUS, TACACS+) to perform user authentication. | The remote user policy assessment/enforcement device will be installed on a separate host from the authentication server. This device interacts directly with public networks and devices and... |
| V-18843 | Medium | Client agents which have been customized with DoD restricted, non-public information or information which may divulge network details (e.g., internal IP ranges or network host names) will not be installed on unmanaged, non-government client endpoints such as kiosks and public computers. | Unmanaged clients such as partner or contractor-owned devices should not contain restricted government informaiton. |
| V-18842 | Medium | The network access control solution (e.g., NAC appliance, policy server) will provide the capability to implement integrity checking to ensure the client agent itself has not been altered or otherwise compromised. | Remote access devices are often lost or stolen. They represent a threat to the enclave if the agent is compromised as this is the data collection entity in the policy assessment solution. An... |
| V-19149 | Medium | When connected via the public Internet, users will be trained to immediately establish a connection to the DoD network via the VPN client. | The DoD architechure is extensive and is designed to protect the enclave and it's endpoints. When a remote user accesses the internet directly, this infrastucture is not leveraged. All... |
| V-18854 | Medium | After remediation, unmanaged (non-DoD owned or controlled) endpoints will not be given access to network resources, but will be forced to reapply via the network policy assessment server and be reassessed for compliance. | After initial remediation, unmanaged devices should be tested again prior to authorization and admittance. This will mitigate the risk that the remediation did not completely eliminate the cause... |
| V-21799 | Medium | Do not process, store, or transmit DoD information on public computers (e.g., those available for use by the general public in kiosks or hotel business centers) or computers that do not have access controls. | There may be hardware or keyboard capture software which could monitor computer usage and keystrokes. Also, these computers may contain virus' and other malicious code which may infect DoD... |
| V-18622 | Medium | The remote access policy will provide separation of traffic based on sensitivity and user trust levels.
| Device authentication must be performed at the perimeter or on a subnet separated from the trusted internal enclave. User authentication ensures the user is authorized for access. However, user... |
| V-19140 | Medium | Ensure remote endpoints that are owned, controlled, and/or managed by DoD for processing or accessing DoD sensitive, non-public assets and comply the requirements.
| Unmanaged endpoints must be configured according to the organization's security policy and standards before these devices can be allowed access to even the most non-sensitive areas of the network... |
| V-18833 | Low | Ensure devices failing policy assessment that are not automatically remediated either before or during the remote access session, will be flagged for future manual or automated remediation. | Devices not compliant with DoD secure configuration policies will not be permitted to use DoD licensed software.
The device status will be updated on the network and in the HBSS agent. A reminder... |
| V-18834 | Low | During security policy assessment, a procedure will exist that when critical security issues are found that put the network at risk, the remote endpoint will be placed immediately on the “blacklist” and the connection will be terminated.
| Automated and manual procedures for remediation for critical security updates will be managed differently. Continuing to assess and remediate endpoints with risks that could endanger the network... |
| V-18838 | Low | Automated access control solution is validated under the National Information Assurance Partnership (NIAP) Common Criteria as meeting U.S. Government protection requirements. | DOD requires that products used for IA be NIAP compliant. |
| V-18750 | Low | Ensure remote endpoint policy assessment proceeds only after the endpoint attempting remote access has been identified using an approved method such as 802.1x or EAP tunneled within PPP.
| Trusted computing shoud require authentication and authorization of both the user's identity and the identity of the computing device. It is possible that an authorized user may be accessing the... |
| V-18754 | Low | When automated remediation is used, ensure the remote access solution is configured to notify the remote user before proceeding with remediation of the user's endpoint device.
| Notification will let the user know that installation is in progress and may take a while. This notice may deter the user from disconnecting and retrying the connection before the remediation is... |
| V-21800 | Low | Where non-DoD information systems are used for processing unclassified emails for the teleworker whose normal duty location in the mobile or telework location (s), the user will have the ability to send and receive digitally encrypted and signed email. | DoD Instruction 8510.01, “DoD Information Assurance Certification and Accreditation Process (DIACAP). Users need this capability to read and send digitally signed email and to ensure non-repudiation. |
| V-19145 | Low | Users who telework regularly are informed of the requirement to configure home networking router or firewall appliances to implement NAT. | Configuring NAT on the network security gateway or firewall will help prevent hosts on the Internet from accessing the DOD teleworker computer directly. |
| V-14751 | Low | Sites allowing contractors, non-DoD entities, or other DoD organization to remotely connect to the enclave will establish written Memorandum of Agreements (MOAs) with the contractor or other orgranization. | To provide the maximum level of security for both the DoD network and the remote corporate enterprise, an MOA is needed that allows administrative oversight and confiscation of compromised equipment.
|
| V-19139 | Low | Develop a user agreement to be signed by all remote users prior to obtaining access. This agreement may be integrated with the site's remote access usage training. | Lack of user training and understanding of responsibilities to safeguard wireless technology are a significant vulnerability to the enclave. Once policies are established, users must be trained... |
| V-19383 | Low | Ensure that when TLS VPN is used, endpoints that fail “required” critical endpoint security checks will receive either no access or only limited access. | Remote endpoint devices requesting TLS portal access will either be disconnected or given limited access as designated by the DAA and system owner if the device fails the authentication or... |
| V-19382 | Low | Ensure that devices to be used in FIPS-compliant applications will use FIPS-compliant functions and procedures. | It is not enough to enable FIPS encryption. To gain the full security implied by the FIPS standard, the functions and procedures required by the FIPS 140-2 documents must also be implemented. |
| V-19381 | Low | Ensure that prior to purchasing a TLS VPN, the system has the capability to require RSA key establishment. | NOTE: TLS 1.0 and later uses the ephemeral Diffie-Hellman key establishment method, but this does not meet the requirements of NIST SP 800-56A. NIST has granted a waiver from this requirement for... |
| V-19831 | Low | Ensure the required accreditation documentation (e.g. DIP) is kept updated. | The most critical part of a remote access solution is to create a centralized point of access and authentication close to the network edge. This device manages access to network resources on the... |
| V-18846 | Low | Where automated remediation is used for remote access clients, traffic separation will be implemented and authorized and unauthorized network traffic use separate security domains (e.g., Virtual Local Area Networks (VLANs)). | A device can pass authentication by presenting valid credentials. However, in a properly configured automated admission access control solution, the device must also be compliant with security... |
| V-19147 | Low | Provide teleworkers training on best practices for operating a secure network.
| Changing the default passwords on the devices helps protect against attackers using these LANs to gain access to the device. List of manufacturer default passwords are widely available on the Internet. |
| V-18841 | Low | Regardless of the type of endpoint used, the communication between the policy enforcement device (e.g., NAC appliance) and the agent must be protected by encryption (e.g., SSL/TLS over HTTP, EAP-TLS, EAP over PPP). | Communications between the remote client and the system which makes the decision to allow or terminate access to the network is privileged traffic. Privileged communication should be separated... |
| V-19143 | Low | Remote user agreement will contain a Standard Mandatory Notice and Consent Provision. | Lack of user training as evidenced by signed documentation may indicate the users lack understanding of their responsibilities to safeguard the network and be a significant vulnerability to the enclave. |
| V-19148 | Low | When connected to a non-DoD owned network, remote users are trained to either disable the wireless radio or disconnect the network cable when communication is no longer needed or the VPN is disconnected. | Endpoints that are directly connected to public networks are vulnerable to various forms of attack the longer they remain connected. A properly configured VPN adds defense in depth... |
| V-19144 | Low | Train users not to connect remote clients which process sensitive information directly into the broadband modem. | If a telework devices connect directly to the teleworker’s ISP, such as plugging the device directly into a cable modem, then the device is directly accessible from the Internet and at high risk... |
| V-25034 | Low | Users must receive training on required topics before they are authorized to access a DoD network via a wireless remote access device. | Improper use of wireless remote access to a DoD network can compromise both the wireless client and the network, as well as, expose DoD data to unauthorized people. Without adequate training... |
| V-25036 | Low | The site physical security policy must include a statement if CMDs with digital cameras (still and video) are permitted or prohibited on or in the DoD facility. | Wireless client, networks, and data could be compromised if unapproved wireless remote access is used. In most cases, unapproved devices are not managed and configured as required by the... |
| V-25035 | Low | The site must have a Wireless Remote Access Policy signed by the site AO, Commander, Director, or other appropriate authority. | Wireless clients, DoD data, and the DoD network could be compromised if operational policies for the use of wireless remote access are not documented by the site. |
| V-19142 | Low | Develop a computer security checklist to be completed and signed by the remote user. This checklist will inform and remind the user of the potential security risks inherent with remote access methods. | Lack of user training and understanding of responsibilities to safeguard the network are a significant vulnerability to the enclave. Once policies are established, users must be trained to these... |
| V-19146 | Low | Train users to configure the home networking router or firewall appliance to protect devices on the home network from each other (isolate), the devices are logically separated by the appliance or router (on a different logical segment of the network). | If a personal firewall on a computer malfunctioned, the appliance or router would still protect the computer from unauthorized network communications from external computers. In some cases, the... |
