A policy assessment must be performed on the NAC device to scan remote endpoints attempting to connect to the organizations network.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-18836	SRC-NAC-080	SV-20589r2_rule	ECSC-1	High

Description
Automated policy assessments must reflect the organization's current security policy so entry control decisions will happen only where remote endpoints meet the organization's security requirements. If the remote endpoints are allowed to connect to the organization's network without passing minimum security controls, they become a threat to the entire network.

STIG	Date
Remote Access Policy STIG	2015-09-16

Details

Check Text ( C-22571r2_chk )
Review the assessment policies configured on the NAC device to ensure the required checks are included. The required checks are listed below: -Verification that anti-virus software is authorized, running, and virus signatures are up to date. -Host based firewall installed and configured according to the organization's security policy. -Host IDS/IPS is installed, operational, and up to date. -Uses the result of malware, anti-virus, and IDS scans and status as part of the assessment decision process. -Required BIOS, operating system, browser, and office application patch levels. -Performs an assessment of the list of running services. -Test for the presence of DoD required software. -Test for presence of peer-to-peer software (not allowed). If the assessment policy configured on the NAC device does not include all of the required checks above, this is a finding.

Check Text ( C-22571r2_chk )

Review the assessment policies configured on the NAC device to ensure the required checks are included. The required checks are listed below:

-Verification that anti-virus software is authorized, running, and virus signatures are up to date.
-Host based firewall installed and configured according to the organization's security policy.
-Host IDS/IPS is installed, operational, and up to date.
-Uses the result of malware, anti-virus, and IDS scans and status as part of the assessment decision process.
-Required BIOS, operating system, browser, and office application patch levels.
-Performs an assessment of the list of running services.
-Test for the presence of DoD required software.
-Test for presence of peer-to-peer software (not allowed).

If the assessment policy configured on the NAC device does not include all of the required checks above, this is a finding.

Fix Text (F-19508r2_fix)
Configure the assessment policy for the NAC device to scan remote endpoints prior to connection to an organization's network. Required checks for the policy assessment: -Verification that anti-virus software is authorized, running, and virus signatures are up to date. -Host based firewall installed and configured according to the organization's security policy. -Host IDS/IPS is installed, operational, and up to date. -Uses the result of malware, anti-virus, and IDS scans and status as part of the assessment decision process. -Required BIOS, operating system, browser, and office application patch levels. -Performs an assessment of the list of running services. -Test for the presence of DoD required software. -Test for presence of peer-to-peer software (not allowed).

Fix Text (F-19508r2_fix)

Configure the assessment policy for the NAC device to scan remote endpoints prior to connection to an organization's network.

Required checks for the policy assessment:
-Verification that anti-virus software is authorized, running, and virus signatures are up to date.
-Host based firewall installed and configured according to the organization's security policy.
-Host IDS/IPS is installed, operational, and up to date.
-Uses the result of malware, anti-virus, and IDS scans and status as part of the assessment decision process.
-Required BIOS, operating system, browser, and office application patch levels.
-Performs an assessment of the list of running services.
-Test for the presence of DoD required software.
-Test for presence of peer-to-peer software (not allowed).