UCF STIG Viewer Logo

Remote Access Policy STIG

Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-18836 High If a policy assessment server or service is used as part of an automated access control decision point (for authentication and authorization of unmanaged remote endpoints to the network), the remote access solution must include the minimum required policy assessment checks for unmanaged devices prior to allowing remote access to the network.
V-18855 High Remote access to perform privileged or network management tasks must employ endpoint devices that are controlled (documented), managed (e.g., use a transient NAC agent), and kept updated and compliant with applicable DoD security policies.
V-18851 High The DAA will approve all remote access connections that bypass the policy enforcment/assessment solution.
V-19830 High Ensure the classified or sensitive information is transmitted over approved communications systems or non-DoD systems, and an NSA Type 1 certified remote access security solution is in place for remote access to a classified network and is only used from an approved location.
V-19834 High Ensure remote access for privileged tasks such as network devices, host, or application administration is compliant.
V-19151 High Ensure an NSA certified remote access security solution (e.g., HARA) is used for remote access to a classified network and will only be used from an approved location.
V-18837 Medium Ensure that for unmanaged client endpoints, the system must automatically scan the device once it has connected to the physical network but before giving access to the trusted internal LAN.
V-18835 Medium Configure the devices and servers in the network access control solution (e.g., NAC, assessment server, policy decision point) so they do not communicate with other network devices in the DMZ or subnet except as needed to perform a remote access client assessment or to identify itself.
V-18853 Medium Endpoints accessing the remediation server will not have access to other network resources that are not part of the remediation process.
V-19152 Medium Endpoints accessing the classified network will be Government owned/leased equipment and protected to the classification level of the data that the device is able to access.
V-19150 Medium Remote/telework endpoints not capable (e.g., lacks enough memory or resources) of meeting the compliance requirements for anti-virus, firewall, and web browser configuration will not be permitted access to the DoD network.
V-18852 Medium For networks which do not allow unmanaged devices, remote endpoints that fail the device authentication check will not proceed with the policy assessment checks (authorization checks) and remote access will be denied.
V-18590 Medium Ensure a remote access security policy manager is used to manage the security policy on devices used for remote network connection or remote access.
V-18680 Medium If a policy assessment server or service is used as part of an automated access control decision point (to accept non-DoD owned and/or managed remote endpoints to the network), only devices that are both authenticated to the network and compliant with network policies are allowed access.
V-18536 Medium Ensure unused management interfaces, ports, protocols, and services are removed or disabled on devices providing remote access services to remote users.
V-18535 Medium Ensure the use a vendor-supported version of the remote access server, remote access policy server, NAC appliance, VPN, and/or communications server software.
V-19833 Medium Ensure the remote access server (RAS) is located in a dual homed screened subnet.
V-19832 Medium Ensure the traffic for remote access network devices (e.g., RAS, NAC, VPN) is inspected by the network firewall and IDS/IPS using an approved architecture.
V-18847 Medium If the device requesting remote network access fails the network policy assessment tests, then the policy server will communicate with the remote access device (e.g., VPN gateway or RAS) to perform an approved action based on the requirements of this policy.
V-18844 Medium The policy assessment/enforcement device will be configured to use a separate authentication server (e.g., IAS, Active Directory, RADIUS, TACACS+) to perform user authentication.
V-18843 Medium Client agents which have been customized with DoD restricted, non-public information or information which may divulge network details (e.g., internal IP ranges or network host names) will not be installed on unmanaged, non-government client endpoints such as kiosks and public computers.
V-18842 Medium The network access control solution (e.g., NAC appliance, policy server) will provide the capability to implement integrity checking to ensure the client agent itself has not been altered or otherwise compromised.
V-19149 Medium When connected via the public Internet, users will be trained to immediately establish a connection to the DoD network via the VPN client.
V-18854 Medium After remediation, unmanaged (non-DoD owned or controlled) endpoints will not be given access to network resources, but will be forced to reapply via the network policy assessment server and be reassessed for compliance.
V-21799 Medium Do not process, store, or transmit DoD information on public computers (e.g., those available for use by the general public in kiosks or hotel business centers) or computers that do not have access controls.
V-18622 Medium The remote access policy will provide separation of traffic based on sensitivity and user trust levels.
V-19140 Medium Ensure remote endpoints that are owned, controlled, and/or managed by DoD for processing or accessing DoD sensitive, non-public assets and comply the requirements.
V-18833 Low Ensure devices failing policy assessment that are not automatically remediated either before or during the remote access session, will be flagged for future manual or automated remediation.
V-18834 Low During security policy assessment, a procedure will exist that when critical security issues are found that put the network at risk, the remote endpoint will be placed immediately on the “blacklist” and the connection will be terminated.
V-18838 Low Automated access control solution is validated under the National Information Assurance Partnership (NIAP) Common Criteria as meeting U.S. Government protection requirements.
V-18750 Low Ensure remote endpoint policy assessment proceeds only after the endpoint attempting remote access has been identified using an approved method such as 802.1x or EAP tunneled within PPP.
V-18754 Low When automated remediation is used, ensure the remote access solution is configured to notify the remote user before proceeding with remediation of the user's endpoint device.
V-21800 Low Where non-DoD information systems are used for processing unclassified emails for the teleworker whose normal duty location in the mobile or telework location (s), the user will have the ability to send and receive digitally encrypted and signed email.
V-19145 Low Users who telework regularly are informed of the requirement to configure home networking router or firewall appliances to implement NAT.
V-14751 Low Sites allowing contractors, non-DoD entities, or other DoD organization to remotely connect to the enclave will establish written Memorandum of Agreements (MOAs) with the contractor or other orgranization.
V-19139 Low Develop a user agreement to be signed by all remote users prior to obtaining access. This agreement may be integrated with the site's remote access usage training.
V-19383 Low Ensure that when TLS VPN is used, endpoints that fail “required” critical endpoint security checks will receive either no access or only limited access.
V-19382 Low Ensure that devices to be used in FIPS-compliant applications will use FIPS-compliant functions and procedures.
V-19381 Low Ensure that prior to purchasing a TLS VPN, the system has the capability to require RSA key establishment.
V-19831 Low Ensure the required accreditation documentation (e.g. DIP) is kept updated.
V-18846 Low Where automated remediation is used for remote access clients, traffic separation will be implemented and authorized and unauthorized network traffic use separate security domains (e.g., Virtual Local Area Networks (VLANs)).
V-19147 Low Provide teleworkers training on best practices for operating a secure network.
V-18841 Low Regardless of the type of endpoint used, the communication between the policy enforcement device (e.g., NAC appliance) and the agent must be protected by encryption (e.g., SSL/TLS over HTTP, EAP-TLS, EAP over PPP).
V-19143 Low Remote user agreement will contain a Standard Mandatory Notice and Consent Provision.
V-19148 Low When connected to a non-DoD owned network, remote users are trained to either disable the wireless radio or disconnect the network cable when communication is no longer needed or the VPN is disconnected.
V-19144 Low Train users not to connect remote clients which process sensitive information directly into the broadband modem.
V-25034 Low Users must receive training on required topics before they are authorized to access a DoD network via a wireless remote access device.
V-25036 Low The site physical security policy must include a statement if CMDs with digital cameras (still and video) are permitted or prohibited on or in the DoD facility.
V-25035 Low The site must have a Wireless Remote Access Policy signed by the site AO, Commander, Director, or other appropriate authority.
V-19142 Low Develop a computer security checklist to be completed and signed by the remote user. This checklist will inform and remind the user of the potential security risks inherent with remote access methods.
V-19146 Low Train users to configure the home networking router or firewall appliance to protect devices on the home network from each other (isolate), the devices are logically separated by the appliance or router (on a different logical segment of the network).