Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-18622 | SRC-RAP-060 | SV-20180r1_rule | ECSC-1 | Medium |
Description |
---|
Device authentication must be performed at the perimeter or on a subnet separated from the trusted internal enclave. User authentication ensures the user is authorized for access. However, user authentication does not mitigate the risk from an improperly configured client device. Devices must be tested for policy compliance and assigned a trust level based on the results of a thorough integrity check. This approach checks that devices connecting to the network are authenticated and compliant with network policy prior to allowing access to network resources. |
STIG | Date |
---|---|
Remote Access Policy STIG | 2015-09-16 |
Check Text ( C-22304r1_chk ) |
---|
Have the site representative display the evidence of compliance. This feature must be implemented using a central access policy such as in a gateway or access control appliance. - Government-owned and managed endpoints; - Personally-owned but managed endpoints; - Unmanaged endpoints such as public kiosks or personal computers should limited access to Web-based applications; - Privileged or Administrative access; - Endpoints compliant with DoD required security configurations such as firewalls, antivirus, etc. - Endpoints not compliant with DoD required security configurations such as firewalls, antivirus software, etc. |
Fix Text (F-19251r1_fix) |
---|
Separate the users by conditions and assigned resources based on required minimum security conditions. |